Hi i want to retrieve events that does not have "-" in the request url.
index=con_jira [| gentimes start=-1 | eval source="/opt/atlassian/current/logs/access_log." + strftime(now(), "%F") | return source] "GET /browse" | eval headers=split(_raw," ") | eval method=mvindex(headers,5) |eval request=mvindex(headers,6) | where request!="*-" | table request
sample Result:
/browse/EPS -----> correct result
/browse/ISPTEXAS-27534 ----> wrong result
hey try this run anywhere search
| makeresults
| eval request="/browse/EPS /browse/ISPTEXAS-27534 /browse/fsfsf-27534 /browse/abc /browse/edg /browse/abc-def"
| makemv request
| mvexpand request
| where NOT like(request,"%-%")
In your environment, you should write
index=con_jira
[| gentimes start=-1
| eval source="/opt/atlassian/current/logs/access_log." + strftime(now(), "%F")
| return source] "GET /browse"
| eval headers=split(_raw," ")
| eval method=mvindex(headers,5)
| eval request=mvindex(headers,6)
| table request
| where NOT like(request,"%-%")
let me know if this helps!
Probably several ways to skin this cat. You could try modifying where clause to:
|where NOT request LIKE "%-%"
Or just use search:
|search NOT request="*-*"
Or use the regex command:
|regex request!=".*-.*"