Hello,
I have a table like the one below, with a column containing repeated id numbers form one side and respective messages for each id on the other side. I want to make a search which can show the id numbers that have only "Error" message as value and skip repeating ids that have Error and OK. Any help is much appreciated.
col1 col2
11111 Error
11111 OK
55555 Error
In the example, successful query should return 55555.
Try this
base search | chart count over col1 by col2 | where col2=0
*OR*
base search | eventstats values(col2) as status by col1 | where isnull(mvfind(status, "OK"))
Try this
base search | chart count over col1 by col2 | where col2=0
*OR*
base search | eventstats values(col2) as status by col1 | where isnull(mvfind(status, "OK"))