I have two sourcetypes A and B - each has a column SERIAL_NUMBER
Sourcetype A has over 1000,000 records Sourcetype B has over 15,000 records
I need every SERIAL_NUMBER in sourcetype A that is NOT present in sourcetype B - SO - I write a subsearch and insert a NOT in there - like SO :
sourcetype="A" SERIAL_NUMBER= * | search NOT [ search sourcetype="B" SERIAL_NUMBER= * | fields + SERIAL_NUMBER] | dedup SERIAL_NUMBER | table SERIAL_NUMBER
Is there a better way to create this query ?
I tried doing an outer join but that did not work out well