Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How To Exclude Results From One Search Where a Field Value Matches the Field Value of Another Search

Traer001
Path Finder
‎04-19-2021 07:42 AM

Hello!

I have two searches that return separate data but have a common field. I am trying to filter my first search by excluding results where the common field value matches the field value in my second search. However, my results are not being filtered and I am not sure where I am going wrong in this query. They are fairly lengthy queries, so a smaller example is below.

 

Query 1:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |

rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |

where user_id < 5000 |

table user_id, loc, loc_id, _time

 

Query 2:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |

where error_user_id < 5000 |

table error_user_id, error_type, error_id, _time

 

Attempt at Filtering:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |

rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |

where user_id < 5000 |

table user_id, loc, loc_id, _time |

search [search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |

where error_user_id < 5000 |

table user_id, error_type, error_id, _time

] |

where user_id != error_user_id |

table user_id, loc, loc_id, _time

 

In this attempt to filter, I am trying to filter the first search and exclude any instances of users where the user_id matches the error_user_id. It isn't working, though. Any ideas on how I can get this to work?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 08:18 AM

Use outer join to count errors of either type by user_id and filter for when no errors have been found in the second search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |
rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |
where user_id < 5000 |
table user_id, loc, loc_id, _time |
join type=outer user_id [search
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |
rex field=_raw "User:\s(?<user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |
rex field=_raw "User:\s(?<user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |
where user_id < 5000 |
eval error=coalesce(error_id, error_type) |
stats count(eval(isnotnull(error))) by user_id |
where count > 0
] |

where isnull(count) |

table user_id, loc, loc_id, _time

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 08:18 AM

Use outer join to count errors of either type by user_id and filter for when no errors have been found in the second search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |
rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |
where user_id < 5000 |
table user_id, loc, loc_id, _time |
join type=outer user_id [search
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |
rex field=_raw "User:\s(?<user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |
rex field=_raw "User:\s(?<user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |
where user_id < 5000 |
eval error=coalesce(error_id, error_type) |
stats count(eval(isnotnull(error))) by user_id |
where count > 0
] |

where isnull(count) |

table user_id, loc, loc_id, _time
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...