Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to return hosts that have no results in a map search?

ollie920049
Path Finder
‎11-11-2014 03:49 PM

I have a search, lets say:

sourcetype=foo earliest=-1d@d | map search="search host=$host$ earliest=@d sourcetype=bar | count by host | table host, count"

This returns the opposite of what I want, all hosts from the first search that have results in the mapped search.

I'm interested in the opposite. I want hosts that return from

sourcetype=foo earliest=-1d@d

which don't have any events in the mapped search

Is there a way to achieve this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

musskopf
Builder
‎11-11-2014 05:49 PM

I don't think you need to use map command there. Maybe try:

sourcetype=foo earliest=-1d@d [ search sourcetype=bar earliest=@d | fields host | dedup host ]
 | stats count by host

You should get all content from sourcetype=foo that have host="the hosts from the sub-search". You can easily invert the order of the main and the subsearch if necessary.

View solution in original post

Reply
Solved! Jump to solution
Solution

musskopf
Builder
‎11-11-2014 05:49 PM

I don't think you need to use map command there. Maybe try:

sourcetype=foo earliest=-1d@d [ search sourcetype=bar earliest=@d | fields host | dedup host ]
 | stats count by host

You should get all content from sourcetype=foo that have host="the hosts from the sub-search". You can easily invert the order of the main and the subsearch if necessary.

Reply
Solved! Jump to solution

ollie920049
Path Finder
‎11-12-2014 02:31 PM

It worked with your suggestion, however, the dataset I was returning in the subsearch was huge. I tweaked it a little and ended up with the following:

sourcetype=foo earliest=-1d@d
| ... (data needed manipulating before I could filter out hosts)
| search NOT [
| metadata type=hosts sourcetype=bar

| eval day_ago=relative_time(now(), "-1d")
| where latestTime > day_ago
| fields host
| dedup host
| format ]
| table host

That performed very well. Thanks for your help.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...