Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

NOT Search is not giving the expected result

ajees_basha
Explorer
‎09-17-2020 03:18 AM

i am trying the exclude the events in the sub search query using Search NOT. It is not returning the expected result.

in this i am trying to exclude "system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod" events. Both the logs are are coming from 2 different system..callback is the common field between two search queries.

Query:

environment=PROD system=API1 Message="API l logs"|dedup callbacknumber
| search NOT [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod ]| table callbacknumber

 

Any help will be highly appreciated

Labels (3)
Tags (1)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 01:08 AM

then my query should definitely work. if you can give more details I can troubleshoot. like sample event of two data sets and extracted fields and used fields in search. 

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 06:55 AM

but callbacknumber is unique for both right ?

————————————
If this helps, give a like below.
0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 05:54 PM

yes it is unique in both the queries

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 04:42 AM 
environment=PROD system=API1 Message="API l logs"|stats count as events_count by callbacknumber
| append [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod | stats count as subevents_count by callbacknumber]
| stats values(*) as * by callbacknumber
| where isnotnull(events_count) AND isnull(subevents_count)
————————————
If this helps, give a like below.
Reply

ajees_basha
Explorer
‎09-17-2020 06:48 AM

Thanks for your time @thambisetty ..sorry it is not giving the expected result.

Basically i would like to see the callback numbers which should have the log Message="API 1 logs" and should not have the log Message= "API Success".

first Message="API 1 logs" event will happen in the system=API1 followed by the event Message= "API Success" in the system=APICleanUp.

 

 

0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 03:20 AM

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top