Hello:
I have a single source file that contains a string of interest.
When I run this query I get a single correct answer:
sourcetype=*** _raw = "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | dedup source | table source
"Correct answer" meaning the file name ("source" field) that contains the "WARNING UPS AUTO VOLT REG ON" text string.
But when I negate the search query (" _raw !=" instead of "_raw ="😞
sourcetype=*** _raw != "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | dedup source | table source
I get a list of files that include the file that does have the string of interest. I'm confused as to how can the same source file appear as both containing and not containing the string of interest.
It's probably something simple I'm overlooking, suggestions welcome. Thanks.
... View more