How to write a search to return values from source...

dfigurello · ‎12-14-2015

Hi Splunkers,

I have three sources in my Splunk deployment:
(all_cardnumbers.csv, fraud_detect1_card.csv and fraud_detect1_card.csv)

all_cardnumbers_card
1111#####1010
1111#####1011
1111#####1012
1111#####1013
1111#####1014
1111#####1015

fraud_detect1_card
1111#####1012
1111#####1013

and the last one fraud_detect2_card source:
1111#####1014
1111#####1015

I'd like to create a new field called no_fraud with the results:
1111#####1010
1111#####1011

Can you guys help me to do a search for this?

Cheers.

jplumsdaine22 · ‎12-15-2015

I'm assuming your events have only a single field, cardID, (apart from the default fields like source and host).

You should be able to get around using a subsearch with the following. Depending on the size of your fraud_detect csvs, Iguinns subsearch method could be faster - I would try both.

source=*card | stats values(source) as source by cardID | search NOT (source=fraud_detect1_card  OR source=fraud_detect2_card) | rename cardID as no_fraud | table no_fraud

lguinn2 · ‎12-14-2015

Try this

source=all_cardnumbers_card NOT [ search source=fraud_detect*_card | dedup cardID | fields cardID ]

This uses the subsearch feature of Splunk. Note that there are limits to subsearches, so you may want to read the manual page here.

How to write a search to return values from source1 that do not appear in source2 and source3?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to write a search to return values from source1 that do not appear in source2 and source3?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem