Hi there, currently I am comparing data from two data sources and have achieved some great comparisons in which my subsearch returned field value equaling the matching value eg:
(id=10000) or (id=10001) or (id=10002)
etc..
However I am wondering if it is possible to return something like:
(id!=10000) or (id!=10001) or (id!=10002)
etc..
OR alternatively - can I simply do something like this in my search query:
search query | NOT [subsearch query | return field]
Or perhaps with brackets?
search query | (NOT [subsearch query | return field])
Please help!
The opposite of (id=10000) OR (id=10001) OR (id=10002)
is (id!=10000 AND id!=10001 AND id!=10002)
or simply NOT ((id=10000) OR (id=10001) OR (id=10002))
.
With subsearches fetching this filter condition it can be used either of following ways:-
search query | search NOT [subsearch query | return field] | ....
search query NOT [subsearch query | return field] ....
search query | where NOT [subsearch query | return field]
The opposite of (id=10000) OR (id=10001) OR (id=10002)
is (id!=10000 AND id!=10001 AND id!=10002)
or simply NOT ((id=10000) OR (id=10001) OR (id=10002))
.
With subsearches fetching this filter condition it can be used either of following ways:-
search query | search NOT [subsearch query | return field] | ....
search query NOT [subsearch query | return field] ....
search query | where NOT [subsearch query | return field]
Please note that id!=1 and NOT id=1 are NOT equal.
If you have the following events
id=1 someotherfield=a
someotherfield=a
id=1 someotherfield=a
id=2 someotherfield=b
searching for someotherfield=a NOT id=1 leads to
someotherfield=a
id=2 someotherfield=b
whereas searching for someotherfield=a id!=1 leads to
id=2 someotherfield=b
as id!=1 only returns events that contain field id, but not value 1, whereas NOT id=1 removes events with id=1 from the previous event set.
Exactly what I was after, thank you good sir!
@somesoni2
Based on your response above - would I need to place brackets around the subsearch similar to below;
search query NOT ([subsearch query | return field])
@somesoni2
I am concerned that my search will end up as:
search query NOT (id=10000) OR (id=10001) OR (id=10002)
This above syntax is not valid right?
Above one is not valid/correct for your requirements. The subsearch will automatically put proper brackets when resolved. You can validate that by checking the job Inspector, look for attribute normalized search.
I would follow the kiss principle and use - search query NOT id=10000 NOT id=10001 NOT id=10002
.
BTW - please use OR (versus or) such as - (id=10000) OR (id=10001) OR (id=10002)
The output you have provided is simply the output of ,y above subquery? Not what I was after sorry