Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find the "No events"

fred1455
New Member
‎04-13-2019 07:52 AM

Given the search

stats count by Name, Fruit

results in:

Name, Fruit, count
Mike, Bananas, 10
Mike, Apples, 10
Susan, Apples, 5
Fred, Apples, 8
Susan, Oranges, 9
Fred, Oranges, 9

How to find only the persons without Oranges?
Result should be:

Mike
****

As the names are dynamic I do not have an inputlookup file for them ...
Thanks
Robert

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2019 12:49 PM

Like this:

index=YouShouldAlwaysSpeciryAnIndex AND sourcetype=AndSroucetypeToo
| stats count BY Name, Fruit

| rename COMMENT AS "I believe that above is your existing search, so just add what is below"

| evenstats values(Fruit) AS Fruits BY Name
| search NOT Fruits = "Oranges"
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-13-2019 11:02 AM

Assuming you're looking for names that have fruit but no Oranges, stats values(Fruit) as Fruits by Name | search NOT Fruits = "Oranges".

If you're also looking for names that have no fruit at all then you'll need a list of reference names, otherwise any name ever would need to magically appear out of nowhere.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-13-2019 11:21 AM

Then you didn't run the search I wrote.

0 Karma
Reply

fred1455
New Member
‎04-13-2019 11:19 AM

Thanks for you effort.

But this will return:

Also Susan and Fred (as the also have lines without Oranges!)

What I want to see in my result is:

Only Mike

(as he is the only person without oranges)

But thanks

Robert

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...