Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Syntax for subsearches for using NOT function btw 2 savedsearches

pradeep0802
New Member
‎04-17-2013 03:08 AM

Hi Guys,

I have here 2 savedsearches, now i want to do a left outer join between both of them.
I'm using the following query:
| savedsearch "saved1" NOT [| savedsearch "saved2" | dedup accid | fields accid]

There seems to be a problem with the syntax.
Or is it not possible to use it with SavedSearch??

Please Help.
Thanks!!

Tags (2)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-17-2013 05:36 AM

I get around the limitation of |search NOT [subsearch] by putting the NOT in the subsearch.

|savedsearch "saved1" [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]

This forces the query returned to use the NOT.

0 Karma
Reply

pradeep0802
New Member
‎04-17-2013 09:56 PM

|savedsearch "saved1" [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]

doesn't return anything
But,
|savedsearch "saved1" | search NOT [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]

gives matching rows from both savedsearches.

but we need other unmatched rows from saved1.

any suggestion..? or any other way we can achieve this.

0 Karma
Reply

Ayn
Legend
‎04-17-2013 03:51 AM

The subsearch's results will be expanded to something like

((accid="accid1") OR (accid="accid2") OR ... )

Which is incorrect syntax for the subsearch command. You probably want to use it with the search command.

| savedsearch "saved1" | search NOT [| savedsearch "saved2" | dedup accid | fields accid]
0 Karma
Reply

pradeep0802
New Member
‎04-17-2013 04:17 AM

if i use
| search NOT
the resulted output is wrong

o\p saved1 is 20 rows and saved2 is 14 rows, there are 12 rows common in both. what we need is 8 rows from saved1 that are not present in saved2.. But using | search NOT gives result similar to outer join. ie 20 rows of saved1

what we are trying to achieve is similar to NOT IN clause in sql.

Any suggestion where we be going wrong..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...