Splunk where not query returning incorrect results

msrama5 · ‎03-03-2020

Hello, I have the following where not query returning rows that exists in sub search, following is the query
environment=test earliest=-48h latest=-24h index=iis_openapi /internal/loyalty/v1/ cs_uri_stem="registrations" cardid="*"
WHERE NOT [ search earliest=-48h index=log-cdx-prod source=kubernetes sourcetype=_json "cardRegistered" "cardId" | rename cardNumber as cardid | fields cardid | format] | table cardid

query says take cardid list from first query and return where cardid is not found in second sub search query, I am getting results where cardid is present in second query which is incorrect, condition is where not, any ideas what is going on here ?

manjunathmeti · ‎03-03-2020

Remove WHERE from query and put sub-search in parentheses after NOT.

environment=test earliest=-48h latest=-24h index=iis_openapi /internal/loyalty/v1/ cs_uri_stem="registrations" cardid="*" NOT ([ search earliest=-48h index=log-cdx-prod source=kubernetes sourcetype=_json "cardRegistered" "cardId" | rename cardNumber as cardid | fields cardid | format]) | table cardid

msrama5 · ‎03-04-2020

Adding bracket is returning the same results , what I need is card id present in first query should not return based on the second sub search query, why would this query fail and return cardid present in first query ?

manjunathmeti · ‎03-04-2020

Remove cardid=“*” in first search and check.

Splunk where not query returning incorrect results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!