Solved: Disjoint results of multiple searches

mhagoel · ‎07-19-2021

I have 2 query searches, one returns set result A and the other one returns set result B.

I would like to get the results of A/B (results that appear in A but do not appear in B )

To be more specific:

First query is:

index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "some log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id)

The query returns a list of correlation_id, such as:

values(correlation_id)

11

22

33

Second query is almost identical (different log message) :

index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "Other log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id)

So the result is in the same structure, for example

values(correlation_id)

11

88

I would like a query which results in A/B, so in this case it should be

values(correlation_id)

22

33

I tried this query but it doesn't work:

index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "some log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id)

| search NOT in

[search index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "Other log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id)]

kamlesh_vaghela · ‎07-19-2021

@mhagoel

Can you please try this?

YOUR_FIRST_SEARCH | stats values(correlation_id) as correlation_id_A | appendcols [YOUR_SECOND_SEARCH| stats values(correlation_id) as correlation_id_B] | mvexpand correlation_id_A 
| eval flg=mvfind(correlation_id_B,correlation_id_A) | where isnull(flg) | table correlation_id_A

My Sample Search :

| makeresults | eval _raw="correlation_id
11
22
33"|multikv forceheader=1 | stats values(correlation_id) as correlation_id_A | appendcols [| makeresults | eval _raw="correlation_id
11
88"|multikv forceheader=1 | stats values(correlation_id) as correlation_id_B] | mvexpand correlation_id_A 
| eval flg=mvfind(correlation_id_B,correlation_id_A) | where isnull(flg) | table correlation_id_A

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎07-19-2021

@mhagoel

Can you please try this?

YOUR_FIRST_SEARCH | stats values(correlation_id) as correlation_id_A | appendcols [YOUR_SECOND_SEARCH| stats values(correlation_id) as correlation_id_B] | mvexpand correlation_id_A 
| eval flg=mvfind(correlation_id_B,correlation_id_A) | where isnull(flg) | table correlation_id_A

My Sample Search :

| makeresults | eval _raw="correlation_id
11
22
33"|multikv forceheader=1 | stats values(correlation_id) as correlation_id_A | appendcols [| makeresults | eval _raw="correlation_id
11
88"|multikv forceheader=1 | stats values(correlation_id) as correlation_id_B] | mvexpand correlation_id_A 
| eval flg=mvfind(correlation_id_B,correlation_id_A) | where isnull(flg) | table correlation_id_A

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Disjoint results of multiple searches

join

stats

subsearch

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Disjoint results of multiple searches

join

stats

subsearch

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases