Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to do a NOT IN search

riotto
Path Finder
‎10-27-2016 11:48 AM

something like;

[search index= myindex source=server.log earliest=-360 latest=-60 "

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-27-2016 01:03 PM

Try like this

index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
 [search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

malvidin
Communicator
‎10-29-2020 11:01 AM

I would recommend using an eventstats command to exclude 

index="idx" earliest=-360s latest=-0s source="server.log"  "<Request" 
| xmlkv 
| eventstats earliest_time(clientId) as earliest_clientId by clientId
| where relative_time(now(), "-60s") > earliest_clientId
|`enter code here`

 

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-27-2016 01:03 PM

Try like this

index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
 [search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]
0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 02:21 PM

it works! Thanks much

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-27-2016 11:51 AM

are you trying to search for everything EXCEPT search index= myindex source=server.log earliest=-360 latest=-60

Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 11:57 AM

No, something like
earliest=-360 latest=-60 "

0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:04 PM

can't paste my example?

0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:11 PM

it's cutting off my example sorry

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-27-2016 12:12 PM

when pasting your example, highlight the syntax and click on the little '101 010' icon above the texbox

Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:17 PM 
[search index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId]
NOT IN
[search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | fields clientId]`enter code here`
0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-27-2016 12:04 PM

@riotto

Can you give more details on what you're looking for with expected results? It's hard just figuring this out with only a search. People need more context here other than the same search you put in the content of your question.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...