Hi Ninjas
I have a search which returns 1500 events. From that search I have extracted a field (eg FieldX) using a regex which matches with 900 events. From the remaining 600 events, I found that I can extract another field (FieldY) which is same as FieldX and matching another 200 events, but it needs a slight change in the regex. Problem is regex for FieldX is not extracting values for FieldY and vice versa, though, they are the same fields that I need for the 900 + 200 = 1100 events.
So I wrote two separate regex and 2 separate search queries to fetch 1100 events and then do a append to put the all in outputlookup.
Till this, everything is fine.
Now, I want to view the remaining 1500-1100=400 events and see if I can extract any other fields that might be similar to FieldX and FieldY that doesnot satisfy the regex for FieldX and FieldY.
Basically, I want to do something like ((the events returned by main search) minus (events returned by search of FieldX + FieldY))
Is this possible to do?
Can you please suggest how I can do it?
Main Search :
index=idx1 sourcetype=src1 "GET /ajaxClient.aspx"
FieldX Search
index=idx1 sourcetype=src1 "GET /ajaxClient.aspx"
| table responseTime_1
Regex for FieldX - responseTime_1
(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^=\n]*=){5}\w+\s+\d+\s+\d+\s+\d+\s+(?P.+)
FieldY Search
index=idx1 sourcetype=src1 "GET /ajaxClient.aspx" "&workser="
| table responseTime_2
Regex for FieldY - responseTime_2
(?=[^G]*(?:GET /ajaxClient.aspx|G.*GET /ajaxClient.aspx))^(?:[^\-\n]*\-){7}[a-f0-9]+\s+\d+\s+\d+\s+\d+\s+(?P.+)
Thanks
↧