I am creating a query to get message type count but i want to skip some the message that are not valid . Some of the messages are starting like "-100" or "Data ...". I want to skip them while i counting the messages count.
TO get the count i am using below query :
eventtype=logs | stats count as Total by message | rename message AS "Type"
Message field has below data :
Data nprops 5 1
Data props 0
-102
1432
sql error
I want to skip all message which are starting from positive ,negative number and those as well which start from Data.
Give this a try,
eventtype=logs | where match(message, "\D") | stats count as Total by message | rename message AS "Type"