Hi there, currently I am comparing data from two data sources and have achieved some great comparisons in which my subsearch returned field value equaling the matching value eg:
(id=10000) or (id=10001) or (id=10002)
However I am wondering if it is possible to return something like:
(id!=10000) or (id!=10001) or (id!=10002)
OR alternatively - can I simply do something like this in my search query:
search query | NOT [subsearch query | return field]
Or perhaps with brackets?
search query | (NOT [subsearch query | return field])
I would follow the kiss principle and use -
search query NOT id=10000 NOT id=10001 NOT id=10002.
BTW - please use OR (versus or) such as -
(id=10000) OR (id=10001) OR (id=10002)
The output you have provided is simply the output of ,y above subquery? Not what I was after sorry
The opposite of
(id=10000) OR (id=10001) OR (id=10002) is
(id!=10000 AND id!=10001 AND id!=10002) or simply
NOT ((id=10000) OR (id=10001) OR (id=10002)).
With subsearches fetching this filter condition it can be used either of following ways:-
search query | search NOT [subsearch query | return field] | .... search query NOT [subsearch query | return field] .... search query | where NOT [subsearch query | return field]
Based on your response above - would I need to place brackets around the subsearch similar to below;
search query NOT ([subsearch query | return field])
I am concerned that my search will end up as:
search query NOT (id=10000) OR (id=10001) OR (id=10002)
This above syntax is not valid right?
Above one is not valid/correct for your requirements. The subsearch will automatically put proper brackets when resolved. You can validate that by checking the job Inspector, look for attribute normalized search.