Hello:
I have a single source file that contains a string of interest.
When I run this query I get a single correct answer:
sourcetype=*** _raw = "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | dedup source | table source
"Correct answer" meaning the file name ("source" field) that contains the "WARNING UPS AUTO VOLT REG ON" text string.
But when I negate the search query (" _raw !=" instead of "_raw ="😞
sourcetype=*** _raw != "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | dedup source | table source
I get a list of files that include the file that does have the string of interest. I'm confused as to how can the same source file appear as both containing and not containing the string of interest.
It's probably something simple I'm overlooking, suggestions welcome. Thanks.
Consider this example
File 1
event 1: My name is somesh
event2: I live in Charlotte
File 2
event 1: This is somesh again
event 2: I moved to Atlanta now.
File 3
event 1: Don't know who wrote this
event 2: Don't care where he lives.
If I search this
index=blah "*somesh* | stats count by source | table source
It will match event1 from File1 and File 2 and thus will return File1 and File2 in result.
If I search this
index=blah NOT "*somesh* | stats count by source | table source
it will still match event 2 from File1 and File2 (they don't have the word searched) and both events from File3 thus returning File1, File2 and File3 in the result.
If you want to list source in which "None of the events contain" the word you're searching try this
sourcetype=*** NOT [search sourcetype=*** "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | stats count by source | table source] earliest="-2w" latest = "now" | stats count by source | table source
You're basically (in subsearch) getting list of sources which contain the word and then excluding them ("NOT [subsearch result]".
As an addition , you should be aware of a few things:
1) NOT
isn't the same as !=
. Consider the following statements
NOT bob
- will drop all events containing the string 'bob'. Simple.
NOT user=bob
- will drop all events where the field 'user' has the value 'bob'. Does not have to contain the literal string.
NOT "user=bob"
- will drop all events matching the whole string. Will keep events where 'user' gets the value 'bob' from some other type of field extraction.
user != bob
- will only return events that contain the field 'user', and where the value isn't 'bob'. So events that don't have a 'user' field at all will also be dropped..
2) asterisks cannot be escaped in the search langauge, it will be parsed as a wildcard char. Unless you're looking for strings like "BIGWARNING UPS AUTO VOLT REG ONTOP", just leave them out.
3) searching for _raw != "*BLAH BLEH*"
is probably not as good as NOT "BLAH BLEH"
/K
Consider this example
File 1
event 1: My name is somesh
event2: I live in Charlotte
File 2
event 1: This is somesh again
event 2: I moved to Atlanta now.
File 3
event 1: Don't know who wrote this
event 2: Don't care where he lives.
If I search this
index=blah "*somesh* | stats count by source | table source
It will match event1 from File1 and File 2 and thus will return File1 and File2 in result.
If I search this
index=blah NOT "*somesh* | stats count by source | table source
it will still match event 2 from File1 and File2 (they don't have the word searched) and both events from File3 thus returning File1, File2 and File3 in the result.
If you want to list source in which "None of the events contain" the word you're searching try this
sourcetype=*** NOT [search sourcetype=*** "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | stats count by source | table source] earliest="-2w" latest = "now" | stats count by source | table source
You're basically (in subsearch) getting list of sources which contain the word and then excluding them ("NOT [subsearch result]".