Splunk Search

Search for results which don't appear in subsearch

smcdonald20
Path Finder

I have the below search, but am not getting any results (even though I know there are results).
There are over 10,000 results in the first query, could that be the issues?

index=ad source=otl_aduserscan
|fields samAccountName, enabled
|search NOT [search index=summary source="otl - engineering - jira au tickets"
|fields Username | rename Username as samAccountName ]
|table samAccountName

Tags (3)
0 Karma

lguinn2
Legend

I would try it this way:

(index=ad source=otl_aduserscan) OR (index=summary source="otl - engineering - jira au tickets" )
| eval samAccountName=coalesce(samAccountName,Username)
| chart count by samAccountName index
| fillnull
| where summary=0
| table samAccountName

This solution avoids any subsearch limitations (time or size of results). It may also be much faster. Finally, you can easily debug this search by running just the first 2-3 lines to "see what you get."

0 Karma

somesoni2
Revered Legend

If your subsearch result is getting truncated, you should see additional data since you're using NOT command (less records subsearch returns, less records will get filtered). Does the value of field Username in your summary index and value of field samAccountName match exactly? Give this a try as well.

index=ad source=otl_aduserscan
|fields samAccountName, enabled
|search NOT [search index=summary source="otl - engineering - jira au tickets" 
|stats count by Username | eval samAccountName="*".Username."*" | table sasmAccountName ]
|table samAccountName

niketnilay
Legend

Not sure if the query will be any better

index=ad source=otl_aduserscan NOT 
  [ search index=summary source="otl - engineering - jira au tickets" 
   | dedup Username 
   | eval samAccountName=Username ]
| table samAccountName
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.