how to exclude the subsearch result from main sear...

ycho1 · ‎10-26-2021

hello,

Can anyone tell me how to exclude the subsearch result from main search?
I want to exclude the result that failed at 1st attempt, but later the person purchased successfully.

I only want to capture PURCHASEID(s) that failed and has not been able to purchase yet.

Here's my pseudo code that I am trying to accomplish

index=main sourcetype="access_combined_wcookie" AND ("*TIME_OUT*")
| rex field=_raw "\[(?<PURCHASEID>\d{12}\-\d{3})\]"
| search NOT [ search index=main sourcetype="access_combined_wcookie" AND ("*Successfully Ordered*")"
| rex field=_raw "\[(?<PURCHASEID>\d{12}\-\d{3})\]" | table PURCHASEID]
| table PURCHASEID, _raw
| dedup PURCHASEID
| sort +PURCHASEID

PickleRick · ‎10-26-2021

You could try it with subsearch and exclusion (you'd need to enclose the subsearch in parentheses though) but it will be highly inefficient. If you can corelate on a particular field (and I can see you want to use PURCHASEID for this), use either selfjoin, transaction or even simple stats to group your events.

ycho1 · ‎10-27-2021

Can you provide me a good example on how to write selfjoin or other solution with my intention if you are willing to help?

isoutamo · ‎10-27-2021

Maybe this helps https://conf.splunk.com/files/2019/slides/FNC2751.pdf

ycho1 · ‎10-28-2021

Is there any other suggestion?

I have not made much progress on this, I was looking for some examples with selfjoin, transaction or stats commad, it won't go anywhere.

how to exclude the subsearch result from main search

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!