Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get fields value which are not matched with other field value?

dhirendra761
Contributor
‎12-19-2022 05:13 PM

Hi,

I have 2 searches.

1st query: (100 results including duplicate number)

 

 

index="abc" message.appName=app1 "Description"="After some string*"
| table _time Id number

 

 

2nd query:(80 results including duplicate d_number)

 

 

index="abc" message.appName=app2 "Description"="After some string2*"
| table _time d_Id d_number

 

 

 both d_number number are matching

How to get result-> only those number which are not matched with d_number

I need only 100-80=20 number which may contain duplicate values from 1st query. (eg: query1-query2)

Thank you in advance for your answer.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-19-2022 08:12 PM

 

What if ids are different but numbers are the same? 

If you only want numbers that are in query 1 but not query 2, then this does it

(index="abc" message.appName=app1 "Description"="After some string*") OR
(index="abc" message.appName=app2 "Description"="After some string2*")
| eval common_number=coalesce(number, d_number)
| stats values("message.appName") as Apps by common_number
| where mvcount(Apps)=1 AND Apps="app1"

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-20-2022 12:06 AM

Hi @dhirendra761,

you can try the @bowesmana solution that's correct, but if you need only fields from the first search, you could try an easier solution like this:

index="abc" message.appName=app1 "Description"="After some string*" NOT [ index="abc" message.appName=app2 "Description"="After some string2*" | dedup d_number | rename d_number AS number | fields number ]
| table _time Id number

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-19-2022 08:12 PM

 

What if ids are different but numbers are the same? 

If you only want numbers that are in query 1 but not query 2, then this does it

(index="abc" message.appName=app1 "Description"="After some string*") OR
(index="abc" message.appName=app2 "Description"="After some string2*")
| eval common_number=coalesce(number, d_number)
| stats values("message.appName") as Apps by common_number
| where mvcount(Apps)=1 AND Apps="app1"

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-20-2023 02:26 AM

Hi @dhirendra761 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...