How to use subsearch to find which values from a s...

brajaram · ‎05-07-2018

I have two seperate sourcetypes. In the first sourcetype, I have a field memberID that also exists in the second sourcetype.

The query I am using right now is:

index=...sourcetype=A.... [search index=... sourcetype=B... other filters | table memberID]

This correctly returns the memberID's in sourcetype A that exist in the subsearch in sourcetype B. However, not all memberID's returned in the table generated in the subsearch are returning in this combined search. I am trying to find out which memberIDs exist from the subsearch(sourcetype B) and do NOT exist in the primary search(sourcetype A).

If I do:

index=...sourcetype=A.... NOT [search index=... sourcetype=B... other filters | table memberID]

it just returns a large list of everything except all the memberIDs in the subsearch, but I want to specifically get the list of memberIDs from the subsearch that are not in the primary search.

knielsen · ‎05-08-2018

Maybe this gives you what you want?

index=A sourcetype=A OR (index=B ...more filters) | chart count over memberID by index | where A=0 AND B>0

How to use subsearch to find which values from a subsearch populated table aren't in another search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation