Set difference between two output of two query

Nilesh067 · ‎10-22-2020

I have two query i want to get those result that are in query 1 but not in query 2

Query 1 :

index=APP_SERVER- source=API_LOG "Error while create record for customer id*" |rex "customer id : (?<custId>.*\w+)" |dedup custId |table custId

Output :

94ABGH0048

902SDKK557

902SGHT224

902SLWT720

Query 2 :

index=APP_SERVER- source=API_LOGS "Successfully created record for customer id*" |rex "customer id : (?<custId>.*\w+)" |dedup custId |table custId

Output :

945TTFK0548

94ABGH0048

902SLWT720

I want below output out of both query ,it means these id are in query 1 result but not in query 2 result

902SDKK557

902SGHT224

richgalloway · ‎10-22-2020

This should do it.

index=APP_SERVER- source=API_LOG "Error while create record for customer id*" 
| rex "customer id : (?<custId>.*\w+)" 
| search NOT [search index=APP_SERVER- source=API_LOGS  "Successfully created record for customer id*" |rex "customer id : (?<custId>.*\w+)" | return custId]
| dedup custId 
| table custId

---
If this reply helps you, Karma would be appreciated.

Nilesh067 · ‎10-22-2020

@richgalloway
it is showing, Unknown search command 'index'.

richgalloway · ‎10-23-2020

I've corrected my reply.

---
If this reply helps you, Karma would be appreciated.

Set difference between two output of two query

eval

fields

join

rex

subsearch

table

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

Set difference between two output of two query