Hi
sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo" NOT "Error1" NOT "ERROR2"
search gives 0 results found meaning there are two types of error
Now when creating report like :
sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo"
| eval errorMessage = "Others"
| append[search sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo" "Error1"]
| eval errorMessage = "Error1"
| append[search sourcetype="SourceA" ERROR NOT "GET-INFO" NOT "GET-ArchivedInfo" "Error2"]
| eval errorMessage = "Error2"
Here search results are showing so many errorMessage as "Others"
Can someone please help me in understanding what I am doing wrong ?
↧
