Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

main search | where not <fieldname> IN [subsearch] not working

marshad
Explorer
‎11-24-2020 11:41 AM

Hello

I have similar situation where I have 2 sources of data and in data I get filenames processed but filenaming convention is different in both data sources.
So for that matter I get a pattern using eval and some string manipulations to match in both sources.

So I am trying hard to find filenames that are in source1 but not in source2.

So here I am trying to do:

index="clouddata" Application=CS Message.PublisherId="PROD_*ONGOING*"|
rename Message.FileName as cs_filename | dedup cs_filename |
eval ercode = mvindex(split(cs_filename,"_"),1) |
eval servicedatetime = mvindex(split(cs_filename,"_"),2) |
strcat ercode servicedatetime fileSearchStr |
eval fileSearch = substr(fileSearchStr,0,18) | table fileSearch | where NOT fileSearch IN [search index="serverdata" Application=SP |
rename Message.FileName as sp_filename | dedup sp_filename |
eval ercode = mvindex(split(sp_filename,"_"),0) |
eval datetime = mvindex(split(sp_filename,"_"),1) |
strcat ercode datetime fileSearchStr1 |
eval fileSearch="\"".fileSearch."\"" | stats values(fileSearch) as search delim="," | nomv search]


That field fileSearch would look like "10010JYR2011240547"
And when I run subsearch as a separate main query it gives me something like "10005ABC2020112405","10010JYR2011240547","100839TIN202011240","83101ICC2020112406"

Getting an error:
Error in 'where' command: The expression is malformed. Expected (.

Can I get some help on this?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 01:47 PM

The IN operator expects a list of quoted strings within parentheses.  You have the list, just add the parens.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

marshad
Explorer
‎11-24-2020 02:35 PM

This worked. Tks

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎11-24-2020 02:12 PM

sample:

 

index=_internal 
| fields sourcetype | dedup sourcetype
| table sourcetype
| search NOT sourcetype IN ([ search index=_internal splunkd
| fields sourcetype | dedup sourcetype | stats values(sourcetype) as search delim="," | nomv search])

 

try search not where

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 01:47 PM

The IN operator expects a list of quoted strings within parentheses.  You have the list, just add the parens.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...