Splunk Search

Why does the subsearch not exclude the results from main search?

mmarinov
Explorer

I have the following search:

index=my_index asset_type="Workstation" asset_atp="false" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| search NOT
    [search index=my_index asset_type="Workstation"  asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| eval nexttime=strftime(relative_time(now(),"-w@w") ,"%Y-%m-%d %H:%M:%S")
| where ad_date_created>nexttime]

When i run the searches separately, the first one returns 1841 events and the second one returns 487 events.
But the combined search does not exclude the results from the second search so I get the full 1841 events again.

When I use those searches with stats, just to get the count of the events, everything looks fine and I get the deisred result of 1354 with the following search:

index=my_index asset_type="Workstation" asset_atp="false" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| stats count as TotalA
| appendcols 
[search index=my_index asset_type="Workstation"  asset_status="ACTIVE" earliest=-1d@d latest=-0d@d
| eval nexttime=strftime(relative_time(now(),"-w@w") ,"%Y-%m-%d %H:%M:%S")
| where ad_date_created>nexttime
| stats count as TotalB]
| eval Total=TotalA-TotalB
| fields Total

What am I doing wrong?

Thanks in advance for the help!

0 Karma

kmaron
Motivator

You should be able to just flip your greater than to a less than or equal. The only other difference in your queries is the asset_atp="false" and it just excludes more things.

index=my_index asset_type="Workstation" asset_status="ACTIVE" asset_atp="false" earliest=-1d@d latest=-0d@d 
| eval nexttime=strftime(relative_time(now(),"-w@w") ,"%Y-%m-%d %H:%M:%S") 
| where ad_date_created<=nexttime
0 Karma

kartm2020
Communicator

Hi nmarinov,

Can you pleae try the below query and let me know whether it is working as expected.
index=my_index asset_atp="false" earliest=-1d@d latest=-0d@d | eval ExceptionType=if(searchmatch ("Workstation"), ("ACTIVE"),("false")
| eventstats dc(ExceptionType) AS numExceptionTypes values(ExceptionType) AS ExceptionTypes | search numExceptionTypes=1 AND ExceptionType="false"

I have tried my level best based on your inputs. Lets c 🙂

0 Karma

mmarinov
Explorer

Hi kartm,

Unfortunately, yout query does not return any results.

Best regards.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...