How to ignore a transaction (not an event) if any of its events contain a "abcd" string
Hi niketnilay,
Thanks for your suggestion, it seems its working to avoid transactions which has logout, still filtering with eventcounts etc...to get the exact active sessions even i search 2hrs/8hrs back...
Thanks..
After the transaction add this:
... | search NOT "abcd"
Requires more details on your transaction query and sample events
| search NOT ("abcd")
However the same should always be done in base search to filter results upfront.