I am using following query to get the data for user status = yes
host="hostname" sourcetype="source_type" |search userid!="-"
|search url="/data/a.jsp" | eval user_status="yes" | dedup userid
| lookup main_data userid OUTPUT userid, first_name,last_name
| table userid, first_name, last_name, user_status, url
Result:
userid = sam01
first_name=sam
last_name=Rogers
user_status=yes
url=/data/a.jsp
following query to get the data for user status = no
host="hostname" sourcetype="source_type" NOT
[search host="hostname" sourcetype="source_type" | search url = "/data/a.jsp" | fields userid]
| search userid!="-" | regex url="(^\/data\/abc.)|(^\/data\/def.)|(^\/data\/ghi.)|(^\/data\/klm.)"
| dedup url | eval user_status = "no" | dedup userid
| lookup main_data userid OUTPUT userid, first_name,last_name
| table userid, first_name, last_name, user_status, url
Result:
userid = sam01
first_name=sam
last_name=Rogers
user_status=no
url=/data/*
... View more