Splunk Search

How to return results from Search1 which are not present in Search2?

cvreddy
New Member

I have two searches that will return common fields Event & UUID.
I have to get the results from the first search which are not present in the second search.

Search 1:

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server"

Search 2:

State="SendEmail" Action="After-SendEmail"

Can anyone provide the best search to find them?

Thanks in advance

0 Karma
1 Solution

sundareshr
Legend

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

View solution in original post

0 Karma

sundareshr
Legend

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID
0 Karma

cvreddy
New Member

I've to eliminate UUID's from first query which are present in second query.
With the given query I'm getting more records as expected.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...