Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to do a NOT IN search

riotto
Path Finder
‎10-27-2016 11:48 AM

something like;

[search index= myindex source=server.log earliest=-360 latest=-60 "

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-27-2016 01:03 PM

Try like this

index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
 [search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

malvidin
Communicator
‎10-29-2020 11:01 AM

I would recommend using an eventstats command to exclude 

index="idx" earliest=-360s latest=-0s source="server.log"  "<Request" 
| xmlkv 
| eventstats earliest_time(clientId) as earliest_clientId by clientId
| where relative_time(now(), "-60s") > earliest_clientId
|`enter code here`

 

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-27-2016 01:03 PM

Try like this

index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
 [search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]
0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 02:21 PM

it works! Thanks much

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-27-2016 11:51 AM

are you trying to search for everything EXCEPT search index= myindex source=server.log earliest=-360 latest=-60

Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 11:57 AM

No, something like
earliest=-360 latest=-60 "

0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:04 PM

can't paste my example?

0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:11 PM

it's cutting off my example sorry

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-27-2016 12:12 PM

when pasting your example, highlight the syntax and click on the little '101 010' icon above the texbox

Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:17 PM 
[search index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId]
NOT IN
[search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | fields clientId]`enter code here`
0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-27-2016 12:04 PM

@riotto

Can you give more details on what you're looking for with expected results? It's hard just figuring this out with only a search. People need more context here other than the same search you put in the content of your question.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...