I created the following search query to cross search for users who successfully log in to a website and also received an email from a
specific sender (at the bottom), and I'm trying to filter out a few states. If I remove the | search state!=PA state!=OH state!=10
section the query runs and I see users logging in from both the US and outside the US.
However, with the | search state!=PA state!=OH state!=10
section in the search, my search is limited to only US based countries and countries outside the US are no longer listed in the results.
How can I return all countries and exclude a few states? I think my query isn't taking the fact that some countries do not have a state associated with them.
Thx
index=xxx url="https://xxx.xxx.xxx NOT (x* OR x.y.* OR x.y.* OR x.y.* OR x.y.*) [search index=xxx SenderAddress="xxx@abc.com" |dedup user | fields user] | geoip "src_ip" | rename "src_ip"_latitude as "lat" | rename "src_ip"_longitude as "long" | rename "src_ip"_country_code as "country" | rename "src_ip"_region_name as "state" | table _time user country state src_ip
You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.
You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.
That worked - thx for he help!