Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

not able to merge 2 queries to get the desired result

vinitpathri
Path Finder
‎04-06-2021 01:26 AM

I have 2 queries

1st is 

| rest /services/data/indexes
| fields title
| dedup title
| table title

this query is giving me all the indexes in my environment

 

2nd query is

| rest /servicesNS/-/-/saved/searches
| rex field=search "index=(?P<title>[^ ]+)"
| stats count by title
| sort -count
| table title

this is giving me all the indexes on which any savedsearch is created.

 

Now i want to see the remove the 2nd query set from 1st and just wanted to see the indexes on which there are no savedsearches in the environment.

I have tried placing "NOT" between the queries but not able to get the desired result.

Please help

 

Thanks in advance.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-12-2021 01:58 AM

Hi @vinitpathri,

Your first query outputs titles event rex does not match, please try below, I filtered internal indexes and also index=* searches;

| rest /services/data/indexes 
| fields title 
| dedup title 
| search title!="_*" 
| table title 
| search NOT 
    [| rest /servicesNS/-/-/saved/searches 
    | rex field=search "index=(?P<searched_index>[^ ]+)" 
    | where isnotnull(searched_index) AND searched_index!="_*" 
    | fields searched_index 
    | rename searched_index as title 
    | dedup title 
    | regex title="[^\*]" ]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

vinitpathri
Path Finder
‎04-12-2021 01:42 AM

Thanks for your quick reply but the above query is not giving the exact required result (i am getting few of the indexes/feeds on which there is no savedsearch but not all)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-12-2021 02:40 AM

I guess there are a couple of things to try. Firstly, depending on your searches, you may or may not use double quotes around index names, so trim those. Secondly, again depending on your searches, you may be searching more than one index, so use max_match=0. Finally, title is returned by saved/searches so you should probably override that with the index name found.

| rest /services/data/indexes
| fields title
| dedup title
| append [
| rest /servicesNS/-/-/saved/searches
| rex field=search max_match=0 "index=(?P<searchindex>[^\s]+)"
| eval title=trim(searchindex,"\"")
| stats count by title
]
| stats values(*) as * by title
| where isnull(count)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-06-2021 01:36 AM 
| rest /services/data/indexes
| fields title
| dedup title
| append [
| rest /servicesNS/-/-/saved/searches
| rex field=search "index=(?P<title>[^ ]+)"
| stats count by title
]
| stats values(*) as * by title
| where isnull(count)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...