How to create a search and subsearch to exclude re...

pc1234 · ‎10-17-2022

I need to create a search and subsearch to exclude results in a query.

the primary search is a lookup table. the subsearch is a query on events that extracts a field I want to use to join to the primary search. the common field is hostname.

If a given hostname in the lookup table is found in the subsearch i want to discard it.

primary search

| inputlookup hosts.csv

field = hostname

output:

host1

host2

host3

subsearch

index=abc message="for account" sourcetype=type1

rex field=names"(?<hostname>\S+)

field hostname

output:

host3

I want the following output:

hostname

host1

host2

I want to discard host3 since its in the subquery.

How do I correlate the searches to do this? I can't use a join because the hostname in the subsearch is not computed until the subquery is executed.

Thanks in Advance.

richgalloway · ‎10-17-2022

You wrote what you need to do - a search, a subsearch, and exclude (NOT).

| inputlookup hosts.csv where NOT [ index=abc message="for account" sourcetype=type1 | rex field=names"(?<hostname>\S+) ]

It also can be done with a join, but that's not preferred.

| inputlookup hosts.csv
| join type=left hostname [
  index=abc message="for account" sourcetype=type1
  | rex field=names"(?<hostname>\S+) ]

---
If this reply helps you, Karma would be appreciated.

How to create a search and subsearch to exclude results in a query?

join

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?