Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return results where ClientID in first search DOES NOT match any ClientID in second search.

griffinpair
Path Finder
‎08-10-2017 08:31 AM

Search 1:

source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* End
| rex field=source "importhelpers\\\\+(?LateClientID[^\\\\]+)"
| where (LateClientID="WHI")
OR (LateClientID="IRM")

Results: 

LateClientID: WHI, IRM

Search 2:

index="si_errors" sourcetype="si_LateEnd"

Results:

ClientID: WHI, ALP, USBI

Based on the results, I would want data from IRM to be returned. This is because any ClientID in the second search that matches a LateClientID returned in the first search I DO NOT want data from.

updated to mark code, DMJ

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-10-2017 08:52 AM

Try this ...

 source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* End
 | rex field=source "importhelpers\\\\+(?LateClientID[^\\\\]+)"
 | where NOT [
      index="si_errors" sourcetype="si_LateEnd" 
     | dedup ClientID | table ClientID | rename ClientID as lateClientID  
     ]

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-10-2017 08:52 AM

Try this ...

 source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* End
 | rex field=source "importhelpers\\\\+(?LateClientID[^\\\\]+)"
 | where NOT [
      index="si_errors" sourcetype="si_LateEnd" 
     | dedup ClientID | table ClientID | rename ClientID as lateClientID  
     ]
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-10-2017 11:38 AM

This search works perfect thanks!! One more question for this though. How do I only search for records within the last 24 hours on the sub-search?

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-10-2017 11:44 AM

Add the following to your sub-search:

index="si_errors" sourcetype="si_LateEnd" earliest=-24h@h latest=now
0 Karma
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-10-2017 11:46 AM

It works good before I add that text. After I add it I get the error "Error in 'where' command: The 'not' function is unsupported or undefined."

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-10-2017 08:50 AM

You could use a sub-search for this. Try something like this:

source=D:\\XSP\\importhelpers source=IH_Daily\\DebugImportHelper End 
| rex field=source "importhelpers\\\+(?LateClientID[^\\\]+)"
    NOT 
    [ search index="si_errors" sourcetype="si_LateEnd" 
    | eval LateClientID=ClientID]
0 Karma
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-10-2017 08:57 AM

The "NOT" here is throwing an error. It is saying it is an invalid argument.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-10-2017 09:29 AM

@griffinpair - run the subsearch all together on one line and try again. kmorris and I both chose to prettify the code - almost exactly the same way by coincidence - and sometimes splunk objects to whitespace in certain locations.

You should add | table LateClientID just inside the last subsearch bracket also.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-10-2017 08:56 AM

@kmorris [Splunk] - OOOO - very close... but you left the ClientID field (and possibly others) to hit the implicit format....... 😉

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...