Solved: How to return results from Search1 which are not p...

cvreddy · ‎06-01-2016

I have two searches that will return common fields Event & UUID.
I have to get the results from the first search which are not present in the second search.

Search 1:

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server"

Search 2:

State="SendEmail" Action="After-SendEmail"

Can anyone provide the best search to find them?

Thanks in advance

sundareshr · ‎06-01-2016

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

View solution in original post

sundareshr · ‎06-01-2016

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

cvreddy · ‎06-01-2016

I've to eliminate UUID's from first query which are present in second query.
With the given query I'm getting more records as expected.

How to return results from Search1 which are not present in Search2?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)