Hi all, i need to select IP address from a search query that "are not" in another search query. How can i do this? thanks a lot
You can use a subsearch with NOT:
http://www.splunk.com/base/Documentation/latest/User/HowSubsearchesWork
sourcetype=one NOT [ search sourcetype=two | fields ipaddr ]
Re-posting as a separate answer, since it was basically unreadable as a comment.
gkanapathy's solution above will work, but is going to do a raw-text match. If you want something more precise, wouldn't it be more like the following?
sourcetype=one NOT [ search sourcetype=two ipaddr=* | fields ipaddr | format ]
Granted, raw-text matching is almost always faster.
Ah, good to know, thanks!
format
is called implicitly at the end of a subsearch inside a search, so both versions will always produce the same results. It will create a keyword search term (vs a field search term) if the field name happens to be either search
or query
. However, both the version with and without format
explicitly specified will do the same.
Use the rename
search command to rename the inner one to whatever it needs to be in the outer search.
thanks but i have some problems. the two IP fields are with two different names. How can i do? thanks a lot
You can use a subsearch with NOT:
http://www.splunk.com/base/Documentation/latest/User/HowSubsearchesWork
sourcetype=one NOT [ search sourcetype=two | fields ipaddr ]
use the rename
search command: ... [ ... fields ipaddr | rename ipaddr as src1_ipaddr_fieldname ]
thanks but i have some problems. the two IP fields are with two different names. How can i do? thanks a lot