I have a lookup table (attached sample) and in my search I want to return records "ACCT" is not in "ACCTNBR4" in the lookup.
My current search looks something like this:
sourcetype="abc" "SAMPLE acctGuid=, 13DigitAcctNbr=, 4DigitAcctNbr=* " | rex field=_raw ", 4DigitAcctNbr=(? [0-9]{4})" | lookup TestAccounts ACCTNBR4 AS ACCT output ACCTNBR4 | stats count by ACCTNBR4
I want to exclude what is being returned.
GUID,ACCTNBR4,INSERT_DATE,NOTES,USERNAME,FNAME,LNAME
123,1234,8/24/2012 9:01:56 AM,,abc,Mad,Dog
456,1111,3/19/2013 11:29:59 AM,,def@test.net,,
... View more