Hi all, i need to select IP address from a search query that "are not" in another search query. How can i do this? thanks a lot
Re-posting as a separate answer, since it was basically unreadable as a comment.
gkanapathy's solution above will work, but is going to do a raw-text match. If you want something more precise, wouldn't it be more like the following?
sourcetype=one NOT [ search sourcetype=two ipaddr=* | fields ipaddr | format ]
Granted, raw-text matching is almost always faster.
format is called implicitly at the end of a subsearch inside a search, so both versions will always produce the same results. It will create a keyword search term (vs a field search term) if the field name happens to be either
query. However, both the version with and without
format explicitly specified will do the same.