Below are the log events I have, where one event has two `savedsearch_name` fields with two values `"Apache_Monitor"` and other is `""` empty.
And other event has only one `savedsearch_name`
Audit:[timestamp=xx-xx-xxxx xx:xx:xx.xxx, id=xxxxx, user=admin, action=search, info=granted , search_id='xxxxxxxx', index=summary `savedsearch_name`="Apache_Monitor"', enable_lookups='1', extra_fields='*', `savedsearch_name`=""]
Audit:[timestamp=xx-xx-xxxx xx:xx:xx.xxx, id=xxxxx, user=admin, action=search, info=granted , search_id='xxxxxxxx', index=summary `savedsearch_name`="Apache_Monitor"']
I want to look only for one field one value (2nd event). So I tried to use NOT condition to get rid of two same field events (1st event)
index=_audit action="search" (savedsearch_name="Apache_Monitor") NOT (savedsearch_name="") search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY"
But It doesn't work, How to exclude the events which has no value ?
↧