Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

NOT the contents of a sub search from the main search

lbogle
Contributor
‎09-24-2014 03:36 PM

Hello Splunkers,
I have some successful searches that are producing accurate numbers but I am trying to put them together so that I take the results of a nested sub search, remove them from the sub search and then join the results of the sub search to the main search. The problem is that I don't know how to use or otherwise achieve the equivalent of a

NOT [search index=......

I know you need to do a join or append to get the contents of a sub search talking to the search 'above' it but is there a way to negate, subtract or do a NOT | join [search index=....

Can I add parentheses to move past this or what is the way to achieve what I am trying to do?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎09-24-2014 04:01 PM

You can do a NOT [subsearch] to remove results from your main search so not sure why that isn't working for you. Would be interesting to get a more defined use case. Are you familiar with using if or case statements within an eval? The reason I ask is, off the top of my head, the only thing I can come up with to trim out results from a search only to later join them back in is to create a complete 'picture' of activity where you are wanting to categorize. To that end if or case statements might be your best ticket.

Trying to think of an example that isn't totally contrived. Let's say you wanted to show webservers that either have or have not had a 500 series http status even if they have also had 200 ones. You could probably get away with something like 

status=5* OR status=2* | eval state = if(status>=500, "uh-oh", "All Ok") | sort -status | dedup host | table host state

Frankly that's not a great query but the point is I didn't first do a subsearch to weed out one set of servers only to add them back in with an append or join. Hope that makes sense at some level.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎09-24-2014 04:01 PM

You can do a NOT [subsearch] to remove results from your main search so not sure why that isn't working for you. Would be interesting to get a more defined use case. Are you familiar with using if or case statements within an eval? The reason I ask is, off the top of my head, the only thing I can come up with to trim out results from a search only to later join them back in is to create a complete 'picture' of activity where you are wanting to categorize. To that end if or case statements might be your best ticket.

Trying to think of an example that isn't totally contrived. Let's say you wanted to show webservers that either have or have not had a 500 series http status even if they have also had 200 ones. You could probably get away with something like 

status=5* OR status=2* | eval state = if(status>=500, "uh-oh", "All Ok") | sort -status | dedup host | table host state

Frankly that's not a great query but the point is I didn't first do a subsearch to weed out one set of servers only to add them back in with an append or join. Hope that makes sense at some level.

0 Karma
Reply
Solved! Jump to solution

lbogle
Contributor
‎09-24-2014 04:52 PM

Yes. That is a macro.

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎09-24-2014 04:48 PM

just to confirm - is the board eating your back ticks on what appears to be a macro (filter_audit_daysago)

0 Karma
Reply
Solved! Jump to solution

lbogle
Contributor
‎09-24-2014 04:42 PM

Here is the search I am using for which is pulling up zero events. Separately, they all work fine:

index=asset_db
source="/var/asset_database/fullpull.csv"
"Reporting Status"=Reporting
"High Level Status"=Production
NOT "Purpose2"=Farm
"Last Audit"=*
"System Name"=*
| filter_audit_daysago(90)
| rename "System Name" as CN
| join
[search index=test_assets
source="C:\Splunk Test Assets\AD-LDAP export.csv"
earliest=-90d@d latest=-0d@d
CN=* NOT [search index=asset_db index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=Farm | filter_audit_daysago(90) | rename "System Name" AS CN| fields + CN]]

0 Karma
Reply
Solved! Jump to solution

lbogle
Contributor
‎09-24-2014 04:32 PM

It's actually not a case of removing and then re-adding (apologies for my unclear description). I have two separate asset log files/databases. There is a way to organize a small subset of one of the log files that I cannot use to organize in the other, even though the two share the same assets (for the most part). The idea is to use the small subset in the nested subsearch to remove those assets from the subsearch, and then join the two asset lists(with both having the subset removed). The databases are not exactly the same which is why I am trying to join them to make a master reference.
The goal is to then actively track the log files and compare against other application logs to ensure that we are achieving the maximum software installation saturation in our environment.
Does that make sense?
Let me know if you have any ideas.
Thank you very much for your reply.
I appreciate it.

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Top