Suppose I have logged data with certain fields like id, level, message etc.
Ex:
id:123
level:warn
Message:xyz task is being performed(msg1)
I need to find all logs which have the above message logged but should not have gone through a log with message 'abc task is being performed'(msg2)
So what I was trying to do was first get all id which have msg1 then use a subsearch to search for each of those id NOT (msg2) is found. But it isn't working and I even tried:
fields id | map search=" search sourcetype=default_abc id=* NOT "abc task is being performed" "
Sorry I am new to this so I might be wrong with understanding lot of it.
↧