Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Sub-search not yielding results in SQL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sub-search not yielding results in SQL
The search below does not yield results like NOT IN SQL. Any suggestion please.
earliest=06/19/2019:23:00:00 latest=06/20/2019:15:00:00 index="cf-pci" cf_app_name="order-event-publisher*" "Posted event message for OrderId*" | rex field=_raw "Posted event message for OrderId (?[A-Z0-9]*), versionId (?[0-9]*)"| eval return = OrdNo."/".VerId| dedup return| stats count by return | table return
|search NOT
[ search earliest=06/19/2019:23:00:00 latest=06/20/2019:16:00:00 index=pt-supply-chain-visibility sourcetype=scv-listener-oms:application:access "message.data.status"=processed | rename message.data.domainId as OrdNo message.data.versionId as VerId | eval return = OrdNo."/".VerId| dedup return| stats count by return| fields return]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stop thinking SQL; try this:
(index="cf-pci" cf_app_name="order-event-publisher*" "Posted event message for OrderId*") OR
(index=pt-supply-chain-visibility sourcetype=scv-listener-oms:application:access "message.data.status"=processed)
| rex "Posted event message for OrderId (?<OrderNo>[A-Z0-9]*), versionId (?<VerId>[0-9]*)"
| eval return = colesce(OrdNo,message.data.domainId) . "/" . colesce(VerId, message.data.versionId)
| stats dc(index) AS index_count values(index) AS index BY return
| where index_count==1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please add more details about what you are trying to accomplish with this search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two containers which are exchanging data, i am reconciling the data exchange between them. The top query gives me sender events, the sub query gives me receiver events. I am checking for events which are sent by producer and not received by the consumer.
Producer:-
earliest=06/19/2019:23:00:00 latest=06/20/2019:15:00:00 index="cf-pci" cf_app_name="order-event-publisher*" "Posted event message for OrderId*" | rex field=_raw "Posted event message for OrderId (?[A-Z0-9]), versionId (?[0-9])"| eval return = OrdNo."/".VerId| dedup return| stats count by return | table return
Consumer:-
search earliest=06/19/2019:23:00:00 latest=06/20/2019:16:00:00 index=pt-supply-chain-visibility sourcetype=scv-listener-oms:application:access "message.data.status"=processed | rename message.data.domainId as OrdNo message.data.versionId as VerId | eval return = OrdNo."/".VerId| dedup return| stats count by return| fields return]
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
