I'm trying to do a search for servers that have reported to verify their status (server up or server down). I have something like this:
|metadata type=hosts | eval status=if((now()-lastTime < 60, "server up", "server down") | fields host,status | sort host
I also have servers that have been decommissioned and are tagged as such (tag::decommissioned).
How do I exclude the tagged servers from my search? Or, is there a better way to do this?
You have to insert the tags into the results and then filter it out like:
|metadata type=hosts |tags | search NOT tag::decommissioned=* | eval status=if(now()-lastTime < 60, "server up", "server down") | fields host,status | sort host
🙂
You have to insert the tags into the results and then filter it out like:
|metadata type=hosts |tags | search NOT tag::decommissioned=* | eval status=if(now()-lastTime < 60, "server up", "server down") | fields host,status | sort host
🙂
Thanks jtrucks!
I had to modify it slightly, but it worked:
...| tags | search NOT tag::host="decommissioned" | ...