Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk where not query returning incorrect results

msrama5
Explorer
‎03-03-2020 08:41 PM

Hello, I have the following where not query returning rows that exists in sub search, following is the query
environment=test earliest=-48h latest=-24h index=iis_openapi /internal/loyalty/v1/ cs_uri_stem="registrations" cardid="*"
WHERE NOT [ search earliest=-48h index=log-cdx-prod source=kubernetes sourcetype=_json "cardRegistered" "cardId" | rename cardNumber as cardid | fields cardid | format] | table cardid

query says take cardid list from first query and return where cardid is not found in second sub search query, I am getting results where cardid is present in second query which is incorrect, condition is where not, any ideas what is going on here ?

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-03-2020 09:30 PM

Remove WHERE from query and put sub-search in parentheses after NOT.

environment=test earliest=-48h latest=-24h index=iis_openapi /internal/loyalty/v1/ cs_uri_stem="registrations" cardid="*" NOT ([ search earliest=-48h index=log-cdx-prod source=kubernetes sourcetype=_json "cardRegistered" "cardId" | rename cardNumber as cardid | fields cardid | format]) | table cardid
0 Karma
Reply

msrama5
Explorer
‎03-04-2020 11:44 AM

Adding bracket is returning the same results , what I need is card id present in first query should not return based on the second sub search query, why would this query fail and return cardid present in first query ?

0 Karma
Reply

manjunathmeti
Champion
‎03-04-2020 03:32 PM

Remove cardid=“*” in first search and check.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...