Hi
I have defined a field for different types of events, the field is recognized in all the events I want to see it. Most likely because the regex is not good enough yet. So I am interested in seeing all the events that do not contain the field I defined.
How do I search for events that do not contain a specific field?
Thanks
Chris
If I want to find all events with a field named foo
* | where isnotnull(foo)
If I want to find all events without a field named foo
* | where isnull(foo)
| search foo="*"
If I want to find all events with a field named foo
* | where isnotnull(foo)
If I want to find all events without a field named foo
* | where isnull(foo)
Cool thank you or the quick reply