I'm trying to filter out events from a search based on a list of strings retrieved from the results of another search, like this:
... NOT [search ... | dedup title | eval title=substr(title, 5) | fields title]
However, I keep getting a Regex: invalid UTF-8 string error.
Is my syntax incorrect? Should I be going about this a different way?
Let me know if I can provide any additional information to help.
I figured it out. Instead of using NOT I did this:
... | where ![search ... | dedup title | eval title=substr(title, 5) | fields title]
I figured it out. Instead of using NOT I did this:
... | where ![search ... | dedup title | eval title=substr(title, 5) | fields title]
I do not understand the error but you can do it like this and probably bypass the error:
... | dedup title | eval title=substr(title, 5) | fields title | map search="NOT $title$"