Search with like / only when more than one value

banzen · ‎02-14-2018

Hi,
I have troubles with a search. I want results ONLY when my "disconnected=" has a value besides blov6 berg

Unfiltered result:
Disconnected="[blov6 berg ] [dj7 berger]",

I would want to know about this..

Could look like this too

Disconnected="[blov6 berg ] [ejb7 rger] [rf34 reef]", 
Disconnected="[blov6 berg ] [dj7 berger] [l42 loop][ddd door]"

Would also want to know....

This I don't care about

Disconnected="[blov6 berg ]"

Here's what I am trying in my search

host=*  Disconnected | where disconnected !=""  | where NOT like(_raw, "%blov6%")

Suggestions?

micahkemp · ‎02-14-2018

Try something like:

 host=* Disconnected Disconnected!="[blov6 berg ]"

Edit: do you need a partial match to be ignored as well?

Try this:

| rex field=Disconnected max_match=0 "\[(?<bracketed_value>[^\]]+)\]"
| search NOT bracketed_value="blov6 berg "