Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

NOT Search is not giving the expected result

ajees_basha
Explorer
‎09-17-2020 03:18 AM

i am trying the exclude the events in the sub search query using Search NOT. It is not returning the expected result.

in this i am trying to exclude "system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod" events. Both the logs are are coming from 2 different system..callback is the common field between two search queries.

Query:

environment=PROD system=API1 Message="API l logs"|dedup callbacknumber
| search NOT [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod ]| table callbacknumber

 

Any help will be highly appreciated

Labels (3)
Tags (1)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 01:08 AM

then my query should definitely work. if you can give more details I can troubleshoot. like sample event of two data sets and extracted fields and used fields in search. 

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 06:55 AM

but callbacknumber is unique for both right ?

————————————
If this helps, give a like below.
0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 05:54 PM

yes it is unique in both the queries

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 04:42 AM 
environment=PROD system=API1 Message="API l logs"|stats count as events_count by callbacknumber
| append [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod | stats count as subevents_count by callbacknumber]
| stats values(*) as * by callbacknumber
| where isnotnull(events_count) AND isnull(subevents_count)
————————————
If this helps, give a like below.
Reply

ajees_basha
Explorer
‎09-17-2020 06:48 AM

Thanks for your time @thambisetty ..sorry it is not giving the expected result.

Basically i would like to see the callback numbers which should have the log Message="API 1 logs" and should not have the log Message= "API Success".

first Message="API 1 logs" event will happen in the system=API1 followed by the event Message= "API Success" in the system=APICleanUp.

 

 

0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 03:20 AM

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...