How to find records where a field's value doesn't ...

saqib99 · ‎01-21-2020

I have the following two searches:

1) earliest=-4h latest=now index="main" field1="somethingA"
2) earliest=-4h latest=now index="main" field2="somethingB"

All records contain a field name field3.

I want to find all the records that are in query #1 but whose field3 is not found in any records in query #2.

How can I do it?

saqib99 · ‎01-22-2020

This worked:

> earliest=-4h latest=now index="main" field1="somethingA" NOT [search earliest=-4h latest=now index="main" field2="somethingB" | fields + field3]

to4kawa · ‎01-22-2020

I see, please accept your answer and close.

to4kawa · ‎01-21-2020

index=main (field1="somethingA" OR field2="somethingB" ) earliest=-4h latest=now 
| streamstats window=1 values(eval(if(field1="somethingA" AND NOT field2="somethingB","flag",NULL))) as field3_exc_field2_inc_field1
| where field3_exc_field2_inc_field1="flag"

hi, @saqib99
how about this?

saqib99 · ‎01-22-2020

That didn't work. But the answer shown below did.

How to find records where a field's value doesn't exist in a subsearch?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

How to find records where a field's value doesn't exist in a subsearch?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...