Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

main search | where not <fieldname> IN [subsearch] not working

marshad
Explorer
‎11-24-2020 11:41 AM

Hello

I have similar situation where I have 2 sources of data and in data I get filenames processed but filenaming convention is different in both data sources.
So for that matter I get a pattern using eval and some string manipulations to match in both sources.

So I am trying hard to find filenames that are in source1 but not in source2.

So here I am trying to do:

index="clouddata" Application=CS Message.PublisherId="PROD_*ONGOING*"|
rename Message.FileName as cs_filename | dedup cs_filename |
eval ercode = mvindex(split(cs_filename,"_"),1) |
eval servicedatetime = mvindex(split(cs_filename,"_"),2) |
strcat ercode servicedatetime fileSearchStr |
eval fileSearch = substr(fileSearchStr,0,18) | table fileSearch | where NOT fileSearch IN [search index="serverdata" Application=SP |
rename Message.FileName as sp_filename | dedup sp_filename |
eval ercode = mvindex(split(sp_filename,"_"),0) |
eval datetime = mvindex(split(sp_filename,"_"),1) |
strcat ercode datetime fileSearchStr1 |
eval fileSearch="\"".fileSearch."\"" | stats values(fileSearch) as search delim="," | nomv search]


That field fileSearch would look like "10010JYR2011240547"
And when I run subsearch as a separate main query it gives me something like "10005ABC2020112405","10010JYR2011240547","100839TIN202011240","83101ICC2020112406"

Getting an error:
Error in 'where' command: The expression is malformed. Expected (.

Can I get some help on this?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 01:47 PM

The IN operator expects a list of quoted strings within parentheses.  You have the list, just add the parens.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

marshad
Explorer
‎11-24-2020 02:35 PM

This worked. Tks

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎11-24-2020 02:12 PM

sample:

 

index=_internal 
| fields sourcetype | dedup sourcetype
| table sourcetype
| search NOT sourcetype IN ([ search index=_internal splunkd
| fields sourcetype | dedup sourcetype | stats values(sourcetype) as search delim="," | nomv search])

 

try search not where

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 01:47 PM

The IN operator expects a list of quoted strings within parentheses.  You have the list, just add the parens.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...