How to find records where a field's value doesn't ...

saqib99 · ‎01-21-2020

I have the following two searches:

1) earliest=-4h latest=now index="main" field1="somethingA"
2) earliest=-4h latest=now index="main" field2="somethingB"

All records contain a field name field3.

I want to find all the records that are in query #1 but whose field3 is not found in any records in query #2.

How can I do it?

saqib99 · ‎01-22-2020

This worked:

> earliest=-4h latest=now index="main" field1="somethingA" NOT [search earliest=-4h latest=now index="main" field2="somethingB" | fields + field3]

to4kawa · ‎01-22-2020

I see, please accept your answer and close.

to4kawa · ‎01-21-2020

index=main (field1="somethingA" OR field2="somethingB" ) earliest=-4h latest=now 
| streamstats window=1 values(eval(if(field1="somethingA" AND NOT field2="somethingB","flag",NULL))) as field3_exc_field2_inc_field1
| where field3_exc_field2_inc_field1="flag"

hi, @saqib99
how about this?

saqib99 · ‎01-22-2020

That didn't work. But the answer shown below did.

How to find records where a field's value doesn't exist in a subsearch?

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!