Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find all unmatched records in two sources type by using multiple fields?

oraclebox
Explorer
‎09-25-2014 02:51 AM

sourcetypes=ship
fields: PortId,ServiceLoopID,VesselName,ID
sourcetypes=route
fields: PORT,LOOP,VS_NAME,SID

I have two sourcetypes above, I want to find out all events in sourcetypes=ship which cannot find in sourcetypes=route.
The matching fields is PortId=PORT, ServiceLoopID=LOOP, VesselName=VS_NAME, ID=SID, how can I do it?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎09-25-2014 07:01 AM

Try this

sourcetype=ship NOT [search sourcetype=route | table PORT,LOOP,VS_NAME,SID| rename PORT as PortId, Loop as ServiceLoopID, VS_NAME as VesselName, SID as ID ] | table PortId,ServiceLoopID,VesselName,ID
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...