1. I have an index that is populated by and extensive, long running query that creates a line like "Client1 Export1 Missed. Expected Time: 06:15:00".
2. I have another index that is populated with fields to be over written and not appear in report. So if this above file needs to not show up I have the information of "Client1" and "Export1"
I am looking for a way to search for all results in point 2 (the ones to not include) and exclude them in point 1. Something like this:
`| where "Missed Exports Message Alert" NOT in [ search sourcetype="si_Export_FileMissed" earliest=-24h@h | eval clearExport = ClientID + " " + ExportType | table clearExport ]`
How do you use NOT in as this is not working as I expect.
Another way to ask this question, is how to exclude results from a subsearch from the overall search?
↧