Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How To Exclude Results From One Search Where a Field Value Matches the Field Value of Another Search

Traer001
Path Finder
‎04-19-2021 07:42 AM

Hello!

I have two searches that return separate data but have a common field. I am trying to filter my first search by excluding results where the common field value matches the field value in my second search. However, my results are not being filtered and I am not sure where I am going wrong in this query. They are fairly lengthy queries, so a smaller example is below.

 

Query 1:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |

rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |

where user_id < 5000 |

table user_id, loc, loc_id, _time

 

Query 2:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |

where error_user_id < 5000 |

table error_user_id, error_type, error_id, _time

 

Attempt at Filtering:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |

rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |

where user_id < 5000 |

table user_id, loc, loc_id, _time |

search [search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |

where error_user_id < 5000 |

table user_id, error_type, error_id, _time

] |

where user_id != error_user_id |

table user_id, loc, loc_id, _time

 

In this attempt to filter, I am trying to filter the first search and exclude any instances of users where the user_id matches the error_user_id. It isn't working, though. Any ideas on how I can get this to work?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 08:18 AM

Use outer join to count errors of either type by user_id and filter for when no errors have been found in the second search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |
rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |
where user_id < 5000 |
table user_id, loc, loc_id, _time |
join type=outer user_id [search
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |
rex field=_raw "User:\s(?<user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |
rex field=_raw "User:\s(?<user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |
where user_id < 5000 |
eval error=coalesce(error_id, error_type) |
stats count(eval(isnotnull(error))) by user_id |
where count > 0
] |

where isnull(count) |

table user_id, loc, loc_id, _time

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 08:18 AM

Use outer join to count errors of either type by user_id and filter for when no errors have been found in the second search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |
rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |
where user_id < 5000 |
table user_id, loc, loc_id, _time |
join type=outer user_id [search
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |
rex field=_raw "User:\s(?<user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |
rex field=_raw "User:\s(?<user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |
where user_id < 5000 |
eval error=coalesce(error_id, error_type) |
stats count(eval(isnotnull(error))) by user_id |
where count > 0
] |

where isnull(count) |

table user_id, loc, loc_id, _time
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...