I want a statement that will evaluate field A, and if the value of field A equals 1, then I want to exclude any value of field B from the search.
Hi jared_anderson,
modify your main search to have only the events you want
sourcetype="email" MailDirectionField=inbound | transaction MID | ...
Bye.
Giuseppe
Hi jared_anderson,
try
sourcetype="email" MailDirectionField!=outbound | transaction MID | ...
Bye.
Giuseppe
the problem with that is then that will only remove one event when there are 20+ events that contain that MID.
event1, maildirection=outbound, MID=123
event2, sourceuser=user1, MID=123
event3, destinationuser=user2, MID=123
event1, maildirection=outbound, MID=124
event2, sourceuser=user1, MID=124
event3, destinationuser=user2, MID=124
event1, maildirection=outbound, MID=125
event2, sourceuser=user1, MID=125
event3, destinationuser=user2, MID=125
in that last search each event1 would not be returned, but the rest of the events with MID 123, 124 and 125 would be returned.
Something like below?
...| eval fieldA = myEvalFunction | search NOT (fieldA=1 AND fieldB=*)
So i have email events, where a series of logs have the same Message ID (MID).
So instead of having to run:
sourcetype="email" | transaction MID |
I want to limit the number of entries and only search against MailDirectionField=inbound. Not every event has MailDirectionField, but they do have the MID field. so I want my evaluation to state that if MailDirectionField=inbound then NOT MID associated with that event.