Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How To Exclude Results From One Search Where a Field Value Matches the Field Value of Another Search

Traer001
Path Finder
‎04-19-2021 07:42 AM

Hello!

I have two searches that return separate data but have a common field. I am trying to filter my first search by excluding results where the common field value matches the field value in my second search. However, my results are not being filtered and I am not sure where I am going wrong in this query. They are fairly lengthy queries, so a smaller example is below.

 

Query 1:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |

rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |

where user_id < 5000 |

table user_id, loc, loc_id, _time

 

Query 2:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |

where error_user_id < 5000 |

table error_user_id, error_type, error_id, _time

 

Attempt at Filtering:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |

rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |

where user_id < 5000 |

table user_id, loc, loc_id, _time |

search [search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |

rex field=_raw "User:\s(?<error_user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |

where error_user_id < 5000 |

table user_id, error_type, error_id, _time

] |

where user_id != error_user_id |

table user_id, loc, loc_id, _time

 

In this attempt to filter, I am trying to filter the first search and exclude any instances of users where the user_id matches the error_user_id. It isn't working, though. Any ideas on how I can get this to work?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 08:18 AM

Use outer join to count errors of either type by user_id and filter for when no errors have been found in the second search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |
rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |
where user_id < 5000 |
table user_id, loc, loc_id, _time |
join type=outer user_id [search
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |
rex field=_raw "User:\s(?<user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |
rex field=_raw "User:\s(?<user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |
where user_id < 5000 |
eval error=coalesce(error_id, error_type) |
stats count(eval(isnotnull(error))) by user_id |
where count > 0
] |

where isnull(count) |

table user_id, loc, loc_id, _time

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-19-2021 08:18 AM

Use outer join to count errors of either type by user_id and filter for when no errors have been found in the second search

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |
rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |
where user_id < 5000 |
table user_id, loc, loc_id, _time |
join type=outer user_id [search
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |
rex field=_raw "User:\s(?<user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |
rex field=_raw "User:\s(?<user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |
where user_id < 5000 |
eval error=coalesce(error_id, error_type) |
stats count(eval(isnotnull(error))) by user_id |
where count > 0
] |

where isnull(count) |

table user_id, loc, loc_id, _time
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...