Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

NOT Search is not giving the expected result

ajees_basha
Explorer
‎09-17-2020 03:18 AM

i am trying the exclude the events in the sub search query using Search NOT. It is not returning the expected result.

in this i am trying to exclude "system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod" events. Both the logs are are coming from 2 different system..callback is the common field between two search queries.

Query:

environment=PROD system=API1 Message="API l logs"|dedup callbacknumber
| search NOT [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod ]| table callbacknumber

 

Any help will be highly appreciated

Labels (3)
Tags (1)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 01:08 AM

then my query should definitely work. if you can give more details I can troubleshoot. like sample event of two data sets and extracted fields and used fields in search. 

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 06:55 AM

but callbacknumber is unique for both right ?

————————————
If this helps, give a like below.
0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 05:54 PM

yes it is unique in both the queries

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 04:42 AM 
environment=PROD system=API1 Message="API l logs"|stats count as events_count by callbacknumber
| append [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod | stats count as subevents_count by callbacknumber]
| stats values(*) as * by callbacknumber
| where isnotnull(events_count) AND isnull(subevents_count)
————————————
If this helps, give a like below.
Reply

ajees_basha
Explorer
‎09-17-2020 06:48 AM

Thanks for your time @thambisetty ..sorry it is not giving the expected result.

Basically i would like to see the callback numbers which should have the log Message="API 1 logs" and should not have the log Message= "API Success".

first Message="API 1 logs" event will happen in the system=API1 followed by the event Message= "API Success" in the system=APICleanUp.

 

 

0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 03:20 AM

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...