How to write a search to return values from source...

dfigurello · ‎12-14-2015

Hi Splunkers,

I have three sources in my Splunk deployment:
(all_cardnumbers.csv, fraud_detect1_card.csv and fraud_detect1_card.csv)

all_cardnumbers_card
1111#####1010
1111#####1011
1111#####1012
1111#####1013
1111#####1014
1111#####1015

fraud_detect1_card
1111#####1012
1111#####1013

and the last one fraud_detect2_card source:
1111#####1014
1111#####1015

I'd like to create a new field called no_fraud with the results:
1111#####1010
1111#####1011

Can you guys help me to do a search for this?

Cheers.

jplumsdaine22 · ‎12-15-2015

I'm assuming your events have only a single field, cardID, (apart from the default fields like source and host).

You should be able to get around using a subsearch with the following. Depending on the size of your fraud_detect csvs, Iguinns subsearch method could be faster - I would try both.

source=*card | stats values(source) as source by cardID | search NOT (source=fraud_detect1_card  OR source=fraud_detect2_card) | rename cardID as no_fraud | table no_fraud

lguinn2 · ‎12-14-2015

Try this

source=all_cardnumbers_card NOT [ search source=fraud_detect*_card | dedup cardID | fields cardID ]

This uses the subsearch feature of Splunk. Note that there are limits to subsearches, so you may want to read the manual page here.

How to write a search to return values from source1 that do not appear in source2 and source3?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...