Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to only return subsearch results which are not available on main search?

splunkxorsplunk
Explorer
‎07-29-2022 01:14 PM

I have two indexes which include same data in a different fields as seen below. 

index1 -- user, fileName, ...etc

index2 -- event.file, actor

user = actor and fileName = event.file

The following search gives me if a user and their file in index2 is available in the index1, but I dont need this since I know they should be included in index1

What I am trying to find is : If a user and their file in index2 is NOT available in the index1, I wanna list them out. 

Thanks for help

index="index1"

[search index="index2" "event"=event2 event.file="something_*"

| table event.file, actor
| rename event.file as fileName, actor as user
]

| table actor

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 01:54 PM

Swap the searches and you should get what you're looking for.

index="index2"
NOT [search index="index1" "event"=event2 fileName="something_*"
| fields fileName user
| rename fileName as event.file, user as actor
| format
]
| table actor
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

splunkxorsplunk
Explorer
‎07-29-2022 02:28 PM

Thanks for solution recommendations!

My initial pivot point should be index2 since index1 includes all files and actors. if a user and associated file is available in index2 but not index1, that is what I am looking for. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 01:54 PM

Swap the searches and you should get what you're looking for.

index="index2"
NOT [search index="index1" "event"=event2 fileName="something_*"
| fields fileName user
| rename fileName as event.file, user as actor
| format
]
| table actor
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...