How to use subsearch to find which values from a s...

brajaram · ‎05-07-2018

I have two seperate sourcetypes. In the first sourcetype, I have a field memberID that also exists in the second sourcetype.

The query I am using right now is:

index=...sourcetype=A.... [search index=... sourcetype=B... other filters | table memberID]

This correctly returns the memberID's in sourcetype A that exist in the subsearch in sourcetype B. However, not all memberID's returned in the table generated in the subsearch are returning in this combined search. I am trying to find out which memberIDs exist from the subsearch(sourcetype B) and do NOT exist in the primary search(sourcetype A).

If I do:

index=...sourcetype=A.... NOT [search index=... sourcetype=B... other filters | table memberID]

it just returns a large list of everything except all the memberIDs in the subsearch, but I want to specifically get the list of memberIDs from the subsearch that are not in the primary search.

knielsen · ‎05-08-2018

Maybe this gives you what you want?

index=A sourcetype=A OR (index=B ...more filters) | chart count over memberID by index | where A=0 AND B>0

How to use subsearch to find which values from a subsearch populated table aren't in another search?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

How to use subsearch to find which values from a subsearch populated table aren't in another search?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...