I believe this is what you’re looking for:
index=main sourcetype=srctp orderNumber=* "failed insert" NOT
[search index=main sourcetype=srctp orderNumber=* "successful insert"
| stats count by orderNumber
| fields - count ]
| stats count by orderNumber
| fields - count
First, stats is going to be a lot more performant than dedup
Second, so long as your "successful insert" search is 10k items or fewer, it should complete
If it’s longer than 10k items, you may need to do something like this:
index=main orderNumber=* ("failed insert" OR "successful insert")
| rex field=_raw "(?<insert>\w+ )insert"
| stats values(insert) as inserts by orderNumber
| search inserts="*failed*"
| where mvcount(inserts)<2
What this should do is extract the type of insert ("failed" or "successful") into a new field named insert
Then stats values() all of the insert types each orderNumber had
Then ensure we’re only looking at orderNumber entries that have a "failed" insert
Then check to make sure there is only one entry in the values()‘d field (ie there is no "successful" entry present
from User warren – Stack Overflow https://stackoverflow.com/questions/75440402/splunk-filter-one-search-by-another/75440847#75440847
via IFTTT