I am running a search that gets a list of accounts, multiple records that can have multiple accounts in each event. I need to find all accounts that are not valid. what I have so far produces results but I cant figure out how to get the $acctid$ in the output. Right now I just get 2 records in the stats page show a 0 for each one but no way to show the content of the $acctid$. I have manually checked and the number is correct I have 2 bad accounts.
Basic search is
index=events eventName="testevent" | spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0"
The 1st half of the search produces
eventID acctid
15326ca3-d4ce-421f-aa07-457fcc7c5df1 12345678
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027 04341234568
8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027 34491234568
9d807652-8b16-4a1a-a985-236c8409b73c 12345678
c5e8b181-4440-4af3-8687-805522ab67e8 04341234568
e539d095-8664-4c68-99ba-1ef1329ec78d 34491234568
ebf27592-2741-4093-b035-eaf3d1ecc4ee 04341234568
I know the 1st and 4th entry are bad accounts and the map command produces 2 results but just shows the zero from the count. How do I get the contents of either the acctid or eventId in the results
count
0
0
↧