Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syntax for subsearches for using NOT function btw 2 savedsearches

pradeep0802
New Member
‎04-17-2013 03:08 AM

Hi Guys,

I have here 2 savedsearches, now i want to do a left outer join between both of them.
I'm using the following query:
| savedsearch "saved1" NOT [| savedsearch "saved2" | dedup accid | fields accid]

There seems to be a problem with the syntax.
Or is it not possible to use it with SavedSearch??

Please Help.
Thanks!!

Tags (2)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-17-2013 05:36 AM

I get around the limitation of |search NOT [subsearch] by putting the NOT in the subsearch.

|savedsearch "saved1" [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]

This forces the query returned to use the NOT.

0 Karma
Reply

pradeep0802
New Member
‎04-17-2013 09:56 PM

|savedsearch "saved1" [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]

doesn't return anything
But,
|savedsearch "saved1" | search NOT [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]

gives matching rows from both savedsearches.

but we need other unmatched rows from saved1.

any suggestion..? or any other way we can achieve this.

0 Karma
Reply

Ayn
Legend
‎04-17-2013 03:51 AM

The subsearch's results will be expanded to something like

((accid="accid1") OR (accid="accid2") OR ... )

Which is incorrect syntax for the subsearch command. You probably want to use it with the search command.

| savedsearch "saved1" | search NOT [| savedsearch "saved2" | dedup accid | fields accid]
0 Karma
Reply

pradeep0802
New Member
‎04-17-2013 04:17 AM

if i use
| search NOT
the resulted output is wrong

o\p saved1 is 20 rows and saved2 is 14 rows, there are 12 rows common in both. what we need is 8 rows from saved1 that are not present in saved2.. But using | search NOT gives result similar to outer join. ie 20 rows of saved1

what we are trying to achieve is similar to NOT IN clause in sql.

Any suggestion where we be going wrong..

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...