Splunk Search

main search | where not <fieldname> IN [subsearch] not working

marshad
Explorer

Hello

I have similar situation where I have 2 sources of data and in data I get filenames processed but filenaming convention is different in both data sources.
So for that matter I get a pattern using eval and some string manipulations to match in both sources.

So I am trying hard to find filenames that are in source1 but not in source2.

So here I am trying to do:

index="clouddata" Application=CS Message.PublisherId="PROD_*ONGOING*"|
rename Message.FileName as cs_filename | dedup cs_filename |
eval ercode = mvindex(split(cs_filename,"_"),1) |
eval servicedatetime = mvindex(split(cs_filename,"_"),2) |
strcat ercode servicedatetime fileSearchStr |
eval fileSearch = substr(fileSearchStr,0,18) | table fileSearch | where NOT fileSearch IN [search index="serverdata" Application=SP |
rename Message.FileName as sp_filename | dedup sp_filename |
eval ercode = mvindex(split(sp_filename,"_"),0) |
eval datetime = mvindex(split(sp_filename,"_"),1) |
strcat ercode datetime fileSearchStr1 |
eval fileSearch="\"".fileSearch."\"" | stats values(fileSearch) as search delim="," | nomv search]


That field fileSearch would look like "10010JYR2011240547"
And when I run subsearch as a separate main query it gives me something like "10005ABC2020112405","10010JYR2011240547","100839TIN202011240","83101ICC2020112406"

Getting an error:
Error in 'where' command: The expression is malformed. Expected (.

Can I get some help on this?

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The IN operator expects a list of quoted strings within parentheses.  You have the list, just add the parens.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

marshad
Explorer

This worked. Tks

0 Karma

to4kawa
SplunkTrust
SplunkTrust

sample:

 

index=_internal 
| fields sourcetype | dedup sourcetype
| table sourcetype
| search NOT sourcetype IN ([ search index=_internal splunkd
| fields sourcetype | dedup sourcetype | stats values(sourcetype) as search delim="," | nomv search])

 

try search not where

richgalloway
SplunkTrust
SplunkTrust

The IN operator expects a list of quoted strings within parentheses.  You have the list, just add the parens.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post