Splunk nested queries

Question

I have the following query on splunk

index="cusomerIndex" source=*client-api* "pending customer approval"

This query gives me the following result

msg: pending customer approval for customer1`

I have another query on splunk

index="orderIndex" source=*order-api* "email notification sent"

this query gives me the following result in the customer field

customerId: customer1
msg: email notification sent

I'm trying to come up with a query where I get all the cutomers who had a result for "pending customer approval" but don't have a result for "email notification sent". I'm not an expert in splunk so not sure how to do it.

Your pending customer approval query doesn't return a customerId, so `index="cusomerIndex" source=*client-api* "pending customer approval" | rex " for (?[^\s]*$)" | table customerId` should give you the customer ID of the pending customer approval result. And then `index="cusomerIndex" source=*client-api* "pending customer approval" | rex " for (?[^\s]*$)" | table customerId | search NOT [search index="orderIndex" source=*order-api* "email notification sent" | return customerId]` should give what you want. — Jerry Jeremiah, Mar 23 '20 at 04:51
Let me know if that works, and if not I can help you figure out why. A couple places to look: https://answers.splunk.com/answers/37565/not-subsearch.html and https://answers.splunk.com/answers/483528/how-to-get-subsearch-to-return-a-result-which-is-n.html — Jerry Jeremiah, Mar 23 '20 at 04:52
Thanks for this, however it does not work, it fetches me items where the "email notification sent" message is present. It does not give me the items where this is not present. — pandith padaya, Mar 23 '20 at 22:46

score 0 · Answer 1 · answered Jan 12 '21 at 23:54

This should make it:

(index="cusomerIndex" source=*client-api* "pending customer approval") OR (index="orderIndex" source=*order-api* "email notification sent")
| rex field=_raw "approval for (?<custid>[^\s]+)"
| rex field=_raw "customerId: (?<custid>[^\s]+)"
| transaction custid 
| search NOT "email notification sent"

Splunk nested queries

1 Answers1