Splunk Search

search command

uhkc777
Explorer

Here is my search query.

index=parmed-stage|eval _time=_time+14400|table _time OrderId OrderDetailID _raw|search NOT [|search index=sapecc-stage source=DBX:SAPECC-SE8 sourcetype=DBX:SAP-SalesOrder| table SALESORDERNUM ITEMDETAILID|rename SALESORDERNUM as OrderId, ITEMDETAILID as OrderDetailID] |table _raw OrderId OrderDetailID

I want to get the events from parmed which are not in sapecc index.
Here OrederID field in parmed matches SALESORDERNUM and OrderDetailID matches ITEMDETAILID. I want to get the events which don't match.

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

index=parmed-stage OR (index=sapecc-stage source=DBX:SAPECC-SE8 sourcetype=DBX:SAP-SalesOrder)
| eval OrderId=coalesce(OrderId, SALESORDERNUM)
| eval OrderDetailID=coalesce(OrderDetailID, ITEMDETAILID)
| eventstats dc(index) AS numIndices
| search numIndices=1
| table _raw OrderId OrderDetailID
0 Karma

sundareshr
Legend

Try like this

index=parmed-stage NOT [search index=sapecc-stage source=DBX:SAPECC-SE8 sourcetype=DBX:SAP-SalesOrder| table SALESORDERNUM ITEMDETAILID|rename SALESORDERNUM as OrderId, ITEMDETAILID as OrderDetailID] | table _raw OrderId OrderDetailID
0 Karma

uhkc777
Explorer

@sundareshr
itsearch index=parmed-stage NOT ( ( OrderDetailID="10" AND OrderId="1000041934" ) OR ( OrderDetailID="90" AND OrderId="1000022259" ) OR ( OrderDetailID="80" AND OrderId="1000022259" ) OR ( OrderDetailID="70" AND OrderId="1000022259" ) OR ( OrderDetailID="60" AND OrderId="1000022259" ) OR ( OrderDetailID="50" AND OrderId="1000022259" ) OR ( OrderDetailID="40" AND OrderId="1000022259" ) OR ( OrderDetailID="30" AND OrderId="1000022259" ) OR ( OrderDetailID="20" AND OrderId="1000022259" ) OR ( OrderDetailID="10" AND OrderId="1000022259" ) OR ( OrderDetailID="10" AND OrderId="1000041933" ) OR ( OrderDetailID="10" AND OrderId="1000041932" ) OR ( OrderDetailID="10" AND OrderId="1000041911" ) OR ( OrderDetailID="40" AND OrderId="1000041100" ) OR ( OrderDetailID="50" AND OrderId="1000041100" ) OR ( OrderDetailID="60" AND OrderId="1000041100" ) OR ( OrderDetailID="30" AND OrderId="1000041100" ) OR ( OrderDetailID="20" AND OrderId="1000041100" ) OR ( OrderDetailID="10" AND OrderId="1000041100" ) OR ( OrderDetailID="10" AND OrderId="1000041055" ) OR ( OrderDetailID="40" AND OrderId="1000041046" ) OR ( OrderDetailID="30" AND OrderId="1000041046" ) OR ( OrderDetailID="20" AND OrderId="1000041046" ) OR ( OrderDetailID="10" AND OrderId="1000041046" ) OR ( OrderDetailID="10" AND OrderId="1000041045" ) OR ( OrderDetailID="40" AND OrderId="1000041045" ) OR ( OrderDetailID="30" AND OrderId="1000041045" ) OR ( OrderDetailID="20" AND OrderId="1000041045" ) OR ( OrderDetailID="40" AND OrderId="1000041044" ) OR ( OrderDetailID="30" AND OrderId="1000041044" ) OR ( OrderDetailID="20" AND OrderId="1000041044" ) OR ( OrderDetailID="10" AND OrderId="1000041044" ) OR ( OrderDetailID="40" AND OrderId="1000041043" ) OR ( OrderDetailID="30" AND OrderId="1000041043" ) OR ( OrderDetailID="20" AND OrderId="1000041043" ) OR ( OrderDetailID="10" AND OrderId="1000041043" ) OR ( OrderDetailID="10" AND OrderId="1000041042" ) OR ( OrderDetailID="40" AND OrderId="1000041042" ) OR ( OrderDetailID="30" AND OrderId="1000041042" ) OR ( OrderDetailID="20" AND OrderId="1000041042" ) OR ( OrderDetailID="40" AND OrderId="1000041041" ) OR ( OrderDetailID="30" AND OrderId="1000041041" ) OR ( OrderDetailID="20" AND OrderId="1000041041" ) OR ( OrderDetailID="10" AND OrderId="1000041041" ) OR ( OrderDetailID="40" AND OrderId="1000041040" ) OR ( OrderDetailID="30" AND OrderId="1000041040" ) OR ( OrderDetailID="20" AND OrderId="1000041040" ) OR ( OrderDetailID="10" AND OrderId="1000041040" ) OR ( OrderDetailID="10" AND OrderId="1000041039" ) OR ( OrderDetailID="40" AND OrderId="1000041039" ) OR ( OrderDetailID="30" AND OrderId="1000041039" ) OR ( OrderDetailID="20" AND OrderId="1000041039" ) OR ( OrderDetailID="40" AND OrderId="1000041038" ) OR ( OrderDetailID="30" AND OrderId="1000041038" ) OR ( OrderDetailID="20" AND OrderId="1000041038" ) OR ( OrderDetailID="10" AND OrderId="1000041038" ) OR ( OrderDetailID="40" AND OrderId="1000041037" ) OR ( OrderDetailID="30" AND OrderId="1000041037" ) OR ( OrderDetailID="20" AND OrderId="1000041037" ) OR ( OrderDetailID="10" AND OrderId="1000041037" ) OR ( OrderDetailID="10" AND OrderId="1000041036" ) OR ( OrderDetailID="40" AND OrderId="1000041036" ) OR ( OrderDetailID="30" AND OrderId="1000041036" ) OR ( OrderDetailID="20" AND OrderId="1000041036" ) OR ( OrderDetailID="40" AND OrderId="1000041035" ) OR ( OrderDetailID="30" AND OrderId="1000041035" ) OR ( OrderDetailID="20" AND OrderId="1000041035" ) OR ( OrderDetailID="10" AND OrderId="1000041035" ) OR ( OrderDetailID="40" AND OrderId="1000041034" ) OR ( OrderDetailID="30" AND OrderId="1000041034" ) OR ( OrderDetailID="20" AND OrderId="1000041034" ) OR ( OrderDetailID="10" AND OrderId="1000041034" ) OR ( OrderDetailID="10" AND OrderId="1000041033" ) OR ( OrderDetailID="40" AND OrderId="1000041033" ) OR ( OrderDetailID="30" AND OrderId="1000041033" ) OR ( OrderDetailID="20" AND OrderId="1000041033" ) OR ( OrderDetailID="40" AND OrderId="1000041032" ) OR ( OrderDetailID="30" AND OrderId="1000041032" ) OR ( OrderDetailID="20" AND OrderId="1000041032" ) OR ( OrderDetailID="10" AND OrderId="1000041032" ) OR ( OrderDetailID="40" AND OrderId="1000041031" ) OR ( OrderDetailID="30" AND OrderId="1000041031" ) OR ( OrderDetailID="20" AND OrderId="1000041031" ) OR ( OrderDetailID="10" AND OrderId="1000041031" ) OR ( OrderDetailID="10" AND OrderId="1000041030" ) OR ( OrderDetailID="40" AND OrderId="1000041030" ) OR ( OrderDetailID="30" AND OrderId="1000041030" ) OR ( OrderDetailID="20" AND OrderId="1000041030" ) OR ( OrderDetailID="40" AND OrderId="1000041029" ) OR ( OrderDetailID="30" AND OrderId="1000041029" ) OR ( OrderDetailID="20" AND OrderId="1000041029" ) OR ( OrderDetailID="10" AND OrderId="1000041029" ) OR ( OrderDetailID="40" AND OrderId="1000041028" ) OR ( OrderDetailID="30" AND OrderId="1000041028" ) OR ( OrderDetailID="20" AND OrderId="1000041028" ) OR ( OrderDetailID="10" AND OrderId="1000041028" ) OR ( OrderDetailID="10" AND OrderId="1000041027" ) OR ( OrderDetailID="40" AND OrderId="1000041027" ) OR ( OrderDetailID="30" AND OrderId="1000041027" ) OR ( OrderDetailID="20" AND OrderId="1000041027" ) OR ( OrderDetailID="40" AND OrderId="1000041026" ) OR ( OrderDetailID="30" AND OrderId="1000041026" ) OR ( OrderDetailID="20" AND OrderId="1000041026" ) OR ( OrderDetailID="10" AND OrderId="1000041026" ) OR ( OrderDetailID="40" AND

0 Karma

sundareshr
Legend

This looks right to me, does the query look right to you?. Are the field names identical (case sensitive)

0 Karma

uhkc777
Explorer

@Sundaresh

0 Karma

sundareshr
Legend

No attachment. Can you just copy paste the NOT () bit as text?

0 Karma

uhkc777
Explorer

check the attachment image in next answer for litsearch

0 Karma

uhkc777
Explorer

No it's not working.It's just showing all events in parmed.(includes common events in sapecc which i don't want)

0 Karma

sundareshr
Legend

Click on Job >> Inspect Job and scroll down till you see litsearch (Ctrl+F litsearch on the popup window) and see if that search is correct. If not, let me know what that should be. This searches for NOT (OrderId="xyz" AND OrderDetailID="abc"). Do you want NOT (OrderId="xyz" OR OrderDetailID="abc")

0 Karma

uhkc777
Explorer

NOT (OrderId="xyz" AND OrderDetailID="abc")-----I want this one

0 Karma

sundareshr
Legend

What does litsearch show?

0 Karma

uhkc777
Explorer

only those 2 field values matches in 2 indexes....remaining everything is different

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...