Hi everyone,
I got three Dashboards to list my different sourcetypes.
ALL, test, production
ALL:
| metadata type=sourcetypes | search totalCount>0 | eval termkey="sourcetype" | fields sourcetype | where sourcetype LIKE "system-%" | sort sourcetype
TEST:
| metadata type=sourcetypes | search totalCount>0 | eval termkey="sourcetype" | fields sourcetype | where sourcetype LIKE "system-%test%" | sort sourcetype
PRODUCTION:
| metadata type=sourcetypes | search totalCount>0 | eval termkey="sourcetype" | fields sourcetype | where sourcetype LIKE "system-%prod%" | sort sourcetype
My Question:
How do I make a search like this: At TEST I want to exclude all PROD, because of some different named logfiles.
-> need an inverted searchstring: something like: ALL SOURCETYPES != %prod%
Greetings
Matt
where (sourcetype LIKE "system%") AND (not sourcetype LIKE "%test%")
Done 😉
where (sourcetype LIKE "system%") AND (not sourcetype LIKE "%test%")
Done 😉