Solved: Re: How to get subsearch to return a result which ...

alexandermunce · ‎12-22-2016

Hi there, currently I am comparing data from two data sources and have achieved some great comparisons in which my subsearch returned field value equaling the matching value eg:

(id=10000) or (id=10001) or (id=10002)

etc..

However I am wondering if it is possible to return something like:

(id!=10000) or (id!=10001) or (id!=10002)

etc..

OR alternatively - can I simply do something like this in my search query:

search query | NOT [subsearch query | return field]

Or perhaps with brackets?

search query | (NOT [subsearch query | return field])

Please help!

somesoni2 · ‎12-23-2016

The opposite of (id=10000) OR (id=10001) OR (id=10002) is (id!=10000 AND id!=10001 AND id!=10002) or simply NOT ((id=10000) OR (id=10001) OR (id=10002)).

With subsearches fetching this filter condition it can be used either of following ways:-

 search query | search NOT [subsearch query | return field] | ....

 search query NOT [subsearch query | return field] ....

 search query | where NOT [subsearch query | return field]

View solution in original post

somesoni2 · ‎12-23-2016

The opposite of (id=10000) OR (id=10001) OR (id=10002) is (id!=10000 AND id!=10001 AND id!=10002) or simply NOT ((id=10000) OR (id=10001) OR (id=10002)).

With subsearches fetching this filter condition it can be used either of following ways:-

 search query | search NOT [subsearch query | return field] | ....

 search query NOT [subsearch query | return field] ....

 search query | where NOT [subsearch query | return field]

dvb · ‎10-22-2021

Please note that id!=1 and NOT id=1 are NOT equal.

If you have the following events

id=1 someotherfield=a
someotherfield=a
id=1 someotherfield=a
id=2 someotherfield=b

searching for someotherfield=a NOT id=1 leads to

someotherfield=a
id=2 someotherfield=b

whereas searching for someotherfield=a id!=1 leads to

id=2 someotherfield=b

as id!=1 only returns events that contain field id, but not value 1, whereas NOT id=1 removes events with id=1 from the previous event set.

alexandermunce · ‎12-25-2016

Exactly what I was after, thank you good sir!

alexandermunce · ‎12-27-2016

@somesoni2

Based on your response above - would I need to place brackets around the subsearch similar to below;

search query NOT ([subsearch query | return field])

alexandermunce · ‎12-27-2016

@somesoni2

I am concerned that my search will end up as:

search query NOT (id=10000) OR (id=10001) OR (id=10002)

This above syntax is not valid right?

somesoni2 · ‎12-27-2016

Above one is not valid/correct for your requirements. The subsearch will automatically put proper brackets when resolved. You can validate that by checking the job Inspector, look for attribute normalized search.

ddrillic · ‎12-22-2016

I would follow the kiss principle and use - search query NOT id=10000 NOT id=10001 NOT id=10002.

BTW - please use OR (versus or) such as - (id=10000) OR (id=10001) OR (id=10002)

alexandermunce · ‎12-25-2016

The output you have provided is simply the output of ,y above subquery? Not what I was after sorry

How to get subsearch to return a result which is NOT EQUAL to the returned value?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM