How to use subsearch to find which values from a s...

brajaram · ‎05-07-2018

I have two seperate sourcetypes. In the first sourcetype, I have a field memberID that also exists in the second sourcetype.

The query I am using right now is:

index=...sourcetype=A.... [search index=... sourcetype=B... other filters | table memberID]

This correctly returns the memberID's in sourcetype A that exist in the subsearch in sourcetype B. However, not all memberID's returned in the table generated in the subsearch are returning in this combined search. I am trying to find out which memberIDs exist from the subsearch(sourcetype B) and do NOT exist in the primary search(sourcetype A).

If I do:

index=...sourcetype=A.... NOT [search index=... sourcetype=B... other filters | table memberID]

it just returns a large list of everything except all the memberIDs in the subsearch, but I want to specifically get the list of memberIDs from the subsearch that are not in the primary search.

knielsen · ‎05-08-2018

Maybe this gives you what you want?

index=A sourcetype=A OR (index=B ...more filters) | chart count over memberID by index | where A=0 AND B>0

How to use subsearch to find which values from a subsearch populated table aren't in another search?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

How to use subsearch to find which values from a subsearch populated table aren't in another search?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...