Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

NOT Search is not giving the expected result

ajees_basha
Explorer
‎09-17-2020 03:18 AM

i am trying the exclude the events in the sub search query using Search NOT. It is not returning the expected result.

in this i am trying to exclude "system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod" events. Both the logs are are coming from 2 different system..callback is the common field between two search queries.

Query:

environment=PROD system=API1 Message="API l logs"|dedup callbacknumber
| search NOT [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod ]| table callbacknumber

 

Any help will be highly appreciated

Labels (3)
Tags (1)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 01:08 AM

then my query should definitely work. if you can give more details I can troubleshoot. like sample event of two data sets and extracted fields and used fields in search. 

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 06:55 AM

but callbacknumber is unique for both right ?

————————————
If this helps, give a like below.
0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 05:54 PM

yes it is unique in both the queries

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 04:42 AM 
environment=PROD system=API1 Message="API l logs"|stats count as events_count by callbacknumber
| append [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod | stats count as subevents_count by callbacknumber]
| stats values(*) as * by callbacknumber
| where isnotnull(events_count) AND isnull(subevents_count)
————————————
If this helps, give a like below.
Reply

ajees_basha
Explorer
‎09-17-2020 06:48 AM

Thanks for your time @thambisetty ..sorry it is not giving the expected result.

Basically i would like to see the callback numbers which should have the log Message="API 1 logs" and should not have the log Message= "API Success".

first Message="API 1 logs" event will happen in the system=API1 followed by the event Message= "API Success" in the system=APICleanUp.

 

 

0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 03:20 AM

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...