I asked this earlier and the solution did not work, so I am asking again. I think I am really close...
Basically what I want to do is look at the previuos week for installed products, take the list and then compare it against what has been installed this week and tell me what is new.
For starters, this will provide me the list:
index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --" | fields product_name
I can take this as a subsearch with an earliest= -7d
Pass the results back to the first, but I need to NOT the products installed.
index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --" | fields product_name | format "NOT(" "" "" "" "OR" ")"
When I try this...
index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --" | fields product_name[search index=windows sourcetype="wineventlog:application" SourceName=MsiInstaller EventCode=11707 earliest= -7d| dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --" | fields product_name | format "NOT(" "" "" "" "OR" ")"]
I get an error:
Error in 'fields' command: Invalid argument: 'product_name=product installed name'
It is what it says on the tin - the argument you pass to fields is invalid:
... | fields product_name[search something something ...
It is what it says on the tin - the argument you pass to fields is invalid:
... | fields product_name[search something something ...
Assuming you want to filter the main search by the subsearch, try something like this:
... | fields product_name | search [search something something ...
This way the subsearch is used as an argument for a search command, not mangled into the fields command which obviously cannot understand it.
hi
are you able to get the desired results ?
I get that! So what would the correct search look like.