Hi guys,
I need to exclude returning the words "DRAFT" from the current query that I have, but I am not sure on where exactly to put it. Here is the query :
index=doccloud_main sourcetype=doccloud_catalina "Document workspace"| rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count
Can someone please help?
Try this:
index=doccloud_main sourcetype=doccloud_catalina "Document workspace" NOT "draft" | rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count
Try this:
index=doccloud_main sourcetype=doccloud_catalina "Document workspace" NOT "draft" | rex "Category:\s*(?<Category>[^,]*),\s*subCategory:\s*(?<subCategory>.*)" | stats count by Category, subCategory | sort 30 - count
Please edit your question and include a sample of events. (that contain the word DRAFT.)
Also... do you want to exclude the event if it has the word DRAFT or do you want to not include data that has a category or sub category of DRAFT? give us some context...