Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sub-search not yielding results in SQL

seemakurthy
New Member
‎06-21-2019 12:49 PM

The search below does not yield results like NOT IN SQL. Any suggestion please.

earliest=06/19/2019:23:00:00 latest=06/20/2019:15:00:00 index="cf-pci" cf_app_name="order-event-publisher*" "Posted event message for OrderId*" | rex field=_raw "Posted event message for OrderId (?[A-Z0-9]*), versionId (?[0-9]*)"| eval return =  OrdNo."/".VerId| dedup return| stats count by return | table return 
|search NOT 
[ search earliest=06/19/2019:23:00:00 latest=06/20/2019:16:00:00 index=pt-supply-chain-visibility sourcetype=scv-listener-oms:application:access  "message.data.status"=processed | rename message.data.domainId as  OrdNo message.data.versionId as VerId | eval return =  OrdNo."/".VerId| dedup return| stats count by return| fields return]
0 Karma
Reply

woodcock
Esteemed Legend
‎07-11-2019 09:56 AM

Stop thinking SQL; try this:

(index="cf-pci" cf_app_name="order-event-publisher*" "Posted event message for OrderId*") OR
(index=pt-supply-chain-visibility sourcetype=scv-listener-oms:application:access  "message.data.status"=processed)
| rex "Posted event message for OrderId (?<OrderNo>[A-Z0-9]*), versionId (?<VerId>[0-9]*)"
| eval return = colesce(OrdNo,message.data.domainId) . "/" . colesce(VerId, message.data.versionId)
| stats dc(index) AS index_count values(index) AS index BY return
| where index_count==1
0 Karma
Reply

jnudell_2
Builder
‎06-21-2019 01:55 PM

Could you please add more details about what you are trying to accomplish with this search?

0 Karma
Reply

seemakurthy
New Member
‎06-21-2019 03:46 PM

I have two containers which are exchanging data, i am reconciling the data exchange between them. The top query gives me sender events, the sub query gives me receiver events. I am checking for events which are sent by producer and not received by the consumer.
Producer:-
earliest=06/19/2019:23:00:00 latest=06/20/2019:15:00:00 index="cf-pci" cf_app_name="order-event-publisher*" "Posted event message for OrderId*" | rex field=_raw "Posted event message for OrderId (?[A-Z0-9]), versionId (?[0-9])"| eval return = OrdNo."/".VerId| dedup return| stats count by return | table return

Consumer:-
search earliest=06/19/2019:23:00:00 latest=06/20/2019:16:00:00 index=pt-supply-chain-visibility sourcetype=scv-listener-oms:application:access "message.data.status"=processed | rename message.data.domainId as OrdNo message.data.versionId as VerId | eval return = OrdNo."/".VerId| dedup return| stats count by return| fields return]

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...