how to exclude a events in the search query if the...

Rajiv_splunk · ‎07-09-2024

I have a scenario where events are coming from one index =sample field= status as status 1, 2, 3, 4 , and 5. I have to exclude all the status which is present in the other index =services as status 1 and 2. How can i achieve it.

I am trying the below query in the base query to exclude but it is not working

index=sample status=*

''''''base query"'''

|search NOT

[search index="service" earliest=-24h latest=now |search status IN (1,2)| table status]

gcusello · ‎07-09-2024

Hi @Rajiv_splunk ,

please try this:

index=sample status=*
NOT [ search 
     index="service" earliest=-24h latest=now  status IN (1,2)
     | table  status ]

don't use the search command after the main search, you'll have more performant searches.

if the two searches don't match, check if the values in the subsearch are compatible with the values of the main earch.

Ciao.

Giuseppe

how to exclude a events in the search query if the events is present in the other index

subsearch

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

how to exclude a events in the search query if the events is present in the other index

subsearch

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025