Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

NOT Search is not giving the expected result

ajees_basha
Explorer
‎09-17-2020 03:18 AM

i am trying the exclude the events in the sub search query using Search NOT. It is not returning the expected result.

in this i am trying to exclude "system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod" events. Both the logs are are coming from 2 different system..callback is the common field between two search queries.

Query:

environment=PROD system=API1 Message="API l logs"|dedup callbacknumber
| search NOT [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod ]| table callbacknumber

 

Any help will be highly appreciated

Labels (3)
Tags (1)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 01:08 AM

then my query should definitely work. if you can give more details I can troubleshoot. like sample event of two data sets and extracted fields and used fields in search. 

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 06:55 AM

but callbacknumber is unique for both right ?

————————————
If this helps, give a like below.
0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 05:54 PM

yes it is unique in both the queries

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-17-2020 04:42 AM 
environment=PROD system=API1 Message="API l logs"|stats count as events_count by callbacknumber
| append [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod | stats count as subevents_count by callbacknumber]
| stats values(*) as * by callbacknumber
| where isnotnull(events_count) AND isnull(subevents_count)
————————————
If this helps, give a like below.
Reply

ajees_basha
Explorer
‎09-17-2020 06:48 AM

Thanks for your time @thambisetty ..sorry it is not giving the expected result.

Basically i would like to see the callback numbers which should have the log Message="API 1 logs" and should not have the log Message= "API Success".

first Message="API 1 logs" event will happen in the system=API1 followed by the event Message= "API Success" in the system=APICleanUp.

 

 

0 Karma
Reply

ajees_basha
Explorer
‎09-17-2020 03:20 AM

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...