Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combined Search - Difference in two lists

splunk219783
Path Finder
‎11-11-2020 11:44 AM

This always feels exceptionally difficult to me, i'm not sure what i'm missing.

I have a list of machines, a simple CSV with a Name, Category, and Tag.  Kind of like this:

VMCategoryTag
VM1BackupFriday
VM1DatacenterAWS
VM2BackupMonday
VM2CriticalYes
VM2DatacenterAzure
VM3CriticalNo
VM3DatacenterAzure

 

I want to find machines that do not have a backup Category, so in this example it would be VM3.

I've written a search to give me all Machines, and another one to give me all machines with backups.  I've written this:

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT [search index=vcenter source=*tag* Category=Backup* | dedup VM | fields VM] | table VM

I get some results but not all.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 12:21 PM

You have the general idea.

Check the subsearch by running it by itself and adding "| format" on the end.  You'll see it returns a result that looks like "(VM="VM1" OR VM="VM2)"".  That string is added to the main search to complete the query so we end up with 

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT (VM="VM1" OR VM="VM2") | table VM

 There's an extra "VM" in the search command.  Removing it works in my sandbox.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 12:21 PM

You have the general idea.

Check the subsearch by running it by itself and adding "| format" on the end.  You'll see it returns a result that looks like "(VM="VM1" OR VM="VM2)"".  That string is added to the main search to complete the query so we end up with 

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT (VM="VM1" OR VM="VM2") | table VM

 There's an extra "VM" in the search command.  Removing it works in my sandbox.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎11-11-2020 12:30 PM

Thanks Rich.  When I run the subsearch by itself with | format i do get a whole list of:

(VM="VM1") OR (VM="VM2") OR (VM="VM3")

I'm not following on where I have the extra VM in my subsearch though?

0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎11-11-2020 03:14 PM

For anyone who stumbles in the future Rich was right, but I think his example was not.  I did not need VM between search and not in the second search.  The final search was:

 

 

index=vcenter source=*tag* | dedup VM | fields VM | search NOT [search index=vcenter source=*tag* Category=Backup* | fields VM]

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...