I am trying creating a report that will run on schedule which combines different sourcetype to run from the datamodel like below.
| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog
In the sourcetype=maillog i want during the search to exclude any maillog event that has final_rule!=scanning from the result. When I run the below command for one sourcetype it works well, but when I add the mutiple source type like above it fails.
Single sourcetype works fine
| datamodel Email All_Email search
| search sourcetype = "maillog" |spath final_rule | search final_rule!=scanning
Multiple sourcetype fails
| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog "|spath final_rule | search final_rule!=scanning"
|
any ideas and I don't mind removing spath
| datamodel Email All_Email search
| search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
| spath final_rule
| search final_rule!=scanning
why don't you search strings?
@to4kawa When i used the search strings you gave above all other sourcetype events are not searched. I guess they are excluded because the other sourcetype do not have final_rule field .
Has your goal been achieved? if that is, please accept the answer.
No it has not been achieved as I only want logs from maillog that has the field final_rule=scanning to be excluded from the report , but now what happens is that the other source type entirely are all excluded as well, which is not what I want . I want to exclusion to be specific to one particular sourtcetype.
Thanks.
I am not sure the results OK.
| datamodel Email All_Email search
| search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
this is OK?
That works fine but the events with this fields "final_rule!=scanning" from maillog is not excluded which is what am trying to achieve. Thanks for your reply
| datamodel Email All_Email search
| search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
| search NOT ( "final_rule" AND "scanning")
| spath final_rule
How's this?