I'm looking for the join syntax for an outer join in Splunk that is not "all of A and all of B that's in A". Rather, what I need is "all of A that's not in B."
The A and B index records look something like this (simplifying)
filename=<variable>,
so the query would have to be something like, where the tag values would be completely different with no overlapping values between the two indexes, however the filename values would overlap. I want to find filenames in A that are not in B, based on different value for tag in both indexes.
This is what I'm trying:
index=A tag="tagM" | join type=left [ search tag="tagY" index=B ]
But I don't understand how to get the subset of A that's not in B.
↧