Could you explain what's wrong with the original search? What is expected and what is the actual results? Importantly, what is the logic in your original search to meet your expectation? If I have...
See more...
Could you explain what's wrong with the original search? What is expected and what is the actual results? Importantly, what is the logic in your original search to meet your expectation? If I have to read your mind based on the code snippet, you are saying that the main search should give you searches that has NOT produced notables; (Question: Why you are searching for action.notable=1 not action.notable=0?) the subsearch should give you searches that has produced notables; (Note: Nobody in this forum except yourself knows what the dataset looks like. So, always explain dataset and logic.) The difference between 1 and 2 would give you something? If I put down whether action.notable should be 1 or 0, i.e., assuming that has_triggered_notables = "false" is the correct label for the main search, it should have zero overlap with the subsearch which you labeled as has_triggered_notables = "true". This means an outer join should give you everything in the main search. Is this what you see? Why would you expect anything different? Again, nobody in the forum except yourself has that answer. Maybe action.notable is not something to indicate whether a notable is produced? Maybe this field doesn't even exist? You used the phrase "status enabled" to describe your criteria. But saved searches has no "enabled" or "not enabled" statuses. Do you mean scheduled, as discernible from is_scheduled field, nothing to do with the nonexistent action.notable? If you ask an unanswerable question, no one is able to give you an answer. And this one is full of hallmarks of unanswerable questions. Before I give up, let me make a final wild guess: By "enabled" you mean is_scheduled=1, there is nothing about action.notable, and that the subsearch actually does something as I speculated above (2). In that case, this is a search you can try and tweak that doesn't involve an inefficient join. | rest /services/saved/searches
| search title="*Rule" is_scheduled=1 NOT
[search index=notable search_name="*Rule" orig_action_name=notable
| stats values(search_name) as title]
| fields title