Splunk Search

"NOT IN" between two search query

pinzer
Path Finder

Hi all, i need to select IP address from a search query that "are not" in another search query. How can i do this? thanks a lot

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You can use a subsearch with NOT:

http://www.splunk.com/base/Documentation/latest/User/HowSubsearchesWork

sourcetype=one NOT [ search sourcetype=two | fields ipaddr ]

View solution in original post

southeringtonp
Motivator

Re-posting as a separate answer, since it was basically unreadable as a comment.

gkanapathy's solution above will work, but is going to do a raw-text match. If you want something more precise, wouldn't it be more like the following?

sourcetype=one NOT [ search sourcetype=two ipaddr=* | fields ipaddr | format ]

Granted, raw-text matching is almost always faster.

0 Karma

southeringtonp
Motivator

Ah, good to know, thanks!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

format is called implicitly at the end of a subsearch inside a search, so both versions will always produce the same results. It will create a keyword search term (vs a field search term) if the field name happens to be either search or query. However, both the version with and without format explicitly specified will do the same.

gkanapathy
Splunk Employee
Splunk Employee

Use the rename search command to rename the inner one to whatever it needs to be in the outer search.

0 Karma

pinzer
Path Finder

thanks but i have some problems. the two IP fields are with two different names. How can i do? thanks a lot

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can use a subsearch with NOT:

http://www.splunk.com/base/Documentation/latest/User/HowSubsearchesWork

sourcetype=one NOT [ search sourcetype=two | fields ipaddr ]

gkanapathy
Splunk Employee
Splunk Employee

use the rename search command: ... [ ... fields ipaddr | rename ipaddr as src1_ipaddr_fieldname ]

0 Karma

pinzer
Path Finder

thanks but i have some problems. the two IP fields are with two different names. How can i do? thanks a lot

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...