Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to do a NOT IN search

riotto
Path Finder
‎10-27-2016 11:48 AM

something like;

[search index= myindex source=server.log earliest=-360 latest=-60 "

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-27-2016 01:03 PM

Try like this

index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
 [search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

malvidin
Communicator
‎10-29-2020 11:01 AM

I would recommend using an eventstats command to exclude 

index="idx" earliest=-360s latest=-0s source="server.log"  "<Request" 
| xmlkv 
| eventstats earliest_time(clientId) as earliest_clientId by clientId
| where relative_time(now(), "-60s") > earliest_clientId
|`enter code here`

 

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-27-2016 01:03 PM

Try like this

index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
 [search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]
0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 02:21 PM

it works! Thanks much

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-27-2016 11:51 AM

are you trying to search for everything EXCEPT search index= myindex source=server.log earliest=-360 latest=-60

Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 11:57 AM

No, something like
earliest=-360 latest=-60 "

0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:04 PM

can't paste my example?

0 Karma
Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:11 PM

it's cutting off my example sorry

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-27-2016 12:12 PM

when pasting your example, highlight the syntax and click on the little '101 010' icon above the texbox

Reply
Solved! Jump to solution

riotto
Path Finder
‎10-27-2016 12:17 PM 
[search index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId]
NOT IN
[search  index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | fields clientId]`enter code here`
0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-27-2016 12:04 PM

@riotto

Can you give more details on what you're looking for with expected results? It's hard just figuring this out with only a search. People need more context here other than the same search you put in the content of your question.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...