I have a lookup table (attached sample) and in my search I want to return records "ACCT" is not in "ACCTNBR4" in the lookup.
My current search looks something like this:
sourcetype="abc" "SAMPLE acctGuid=, 13DigitAcctNbr=, 4DigitAcctNbr=* " | rex field=_raw ", 4DigitAcctNbr=(?
I want to exclude what is being returned.
GUID,ACCTNBR4,INSERT_DATE,NOTES,USERNAME,FNAME,LNAME
123,1234,8/24/2012 9:01:56 AM,,abc,Mad,Dog
456,1111,3/19/2013 11:29:59 AM,,def@test.net,,
You can assign a value of NULL to the column in question and then specify it in your search:
sourcetype="abc" "SAMPLE acctGuid=, 13DigitAcctNbr=, 4DigitAcctNbr=* " | rex field=_raw ", 4DigitAcctNbr=(?
I am trying that, but it is still giving me the same counts.
I only want to show records if ACCT does not have a value in the ACCTNBR4 column of thelookup table.
So if 2 events looked like this:
SAMPLE acctGuid=123-abc, 13DigitAcctNbr=1234567890123, 4DigitAcctNbr=1234
SAMPLE acctGuid=def-567, 13DigitAcctNbr=0001117890123, 4DigitAcctNbr=7945
I would only want to return 7945, 1 from this record:
SAMPLE acctGuid=def-567, 13DigitAcctNbr=0001117890123, 4DigitAcctNbr=7945
I would not return the other event because 4DigitAcctNbr (field acct) 123 is in my lookup file:
SAMPLE acctGuid=def-567, 13DigitAcctNbr=0001117890123, 4DigitAcctNbr=7945
Thanks!
Ryan
What do you mean by "exclude what is being returned"? You want to filter to a subset of account numbers?