Set difference between two output of two query

Nilesh067 · ‎10-22-2020

I have two query i want to get those result that are in query 1 but not in query 2

Query 1 :

index=APP_SERVER- source=API_LOG "Error while create record for customer id*" |rex "customer id : (?<custId>.*\w+)" |dedup custId |table custId

Output :

94ABGH0048

902SDKK557

902SGHT224

902SLWT720

Query 2 :

index=APP_SERVER- source=API_LOGS "Successfully created record for customer id*" |rex "customer id : (?<custId>.*\w+)" |dedup custId |table custId

Output :

945TTFK0548

94ABGH0048

902SLWT720

I want below output out of both query ,it means these id are in query 1 result but not in query 2 result

902SDKK557

902SGHT224

richgalloway · ‎10-22-2020

This should do it.

index=APP_SERVER- source=API_LOG "Error while create record for customer id*" 
| rex "customer id : (?<custId>.*\w+)" 
| search NOT [search index=APP_SERVER- source=API_LOGS  "Successfully created record for customer id*" |rex "customer id : (?<custId>.*\w+)" | return custId]
| dedup custId 
| table custId

---
If this reply helps you, Karma would be appreciated.

Nilesh067 · ‎10-22-2020

@richgalloway
it is showing, Unknown search command 'index'.

richgalloway · ‎10-23-2020

I've corrected my reply.

---
If this reply helps you, Karma would be appreciated.

Set difference between two output of two query

eval

fields

join

rex

subsearch

table

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

Set difference between two output of two query