Splunk Search

How to find values that are not in a summary index

Path Finder

Good day,
I have sysmon information collected in an index called sysmon. I also have created a summary index "HASh256" of all hashes that are known to be good.

I'd like to write a search that shows me all the events that the hash is not found in the summary index. I was planning to use the join command but seems to join only works when you want to include results from the main search and the subsearch.
I want to exclude entries that are found in the subsearch.
How can I achieve that?

Appreciate any help.

0 Karma


You can just use | search NOT followed by a subsearch, e.g.

           | makeresults | eval Field=1
| append [ | makeresults |  eval Field=2 ]
| append [ | makeresults | eval Field=3 ]
| search NOT [ | makeresults | eval Field=2 ]

Or, in your case:

index=sysmon Field1=*
| search NOT [ | search index=HASH256 | dedup Field1 | fields Field1 ]