topic Re: Exclude certain log with specific attribute from a search that has mutiple sources in Getting Data In

Exclude certain log with specific attribute from a search that has mutiple sources

Abdulm1 — Wed, 30 Sep 2020 03:49:10 GMT

I am trying creating a report that will run on schedule which combines different sourcetype to run from the datamodel like below.

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog

In the sourcetype=maillog i want during the search to exclude any maillog event that has final_rule!=scanning from the result. When I run the below command for one sourcetype it works well, but when I add the mutiple source type like above it fails.

Single sourcetype works fine
| datamodel Email All_Email search
| search sourcetype = "maillog" |spath final_rule | search final_rule!=scanning

Multiple sourcetype fails

| datamodel Email All_Email search
| search sourcetype = "ms0365log OR sourcetype = "emaillog" OR sourcetype=exchange2019 OR sourcetype=maillog "|spath final_rule | search final_rule!=scanning"
|
any ideas and I don't mind removing spath

Re: Exclude certain log with specific attribute from a search that has mutiple sources

to4kawa — Mon, 27 Jan 2020 06:19:38 GMT

| datamodel Email All_Email search
| search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
| spath final_rule 
| search final_rule!=scanning

why don't you search strings?

Re: Exclude certain log with specific attribute from a search that has mutiple sources

Abdulm1 — Mon, 27 Jan 2020 06:56:11 GMT

@to4kawa When i used the search strings you gave above all other sourcetype events are not searched. I guess they are excluded because the other sourcetype do not have final_rule field .

Re: Exclude certain log with specific attribute from a search that has mutiple sources

to4kawa — Mon, 27 Jan 2020 07:06:02 GMT

Has your goal been achieved? if that is, please accept the answer.

Re: Exclude certain log with specific attribute from a search that has mutiple sources

Abdulm1 — Mon, 27 Jan 2020 11:13:44 GMT

No it has not been achieved as I only want logs from maillog that has the field final_rule=scanning to be excluded from the report , but now what happens is that the other source type entirely are all excluded as well, which is not what I want . I want to exclusion to be specific to one particular sourtcetype.

Thanks.

Re: Exclude certain log with specific attribute from a search that has mutiple sources

to4kawa — Mon, 27 Jan 2020 12:05:25 GMT

I am not sure the results OK.

 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"

this is OK?

Re: Exclude certain log with specific attribute from a search that has mutiple sources

Abdulm1 — Mon, 27 Jan 2020 12:08:35 GMT

That works fine but the events with this fields "final_rule!=scanning" from maillog is not excluded which is what am trying to achieve. Thanks for your reply

Re: Exclude certain log with specific attribute from a search that has mutiple sources

to4kawa — Mon, 27 Jan 2020 12:39:52 GMT

 | datamodel Email All_Email search
 | search "ms0365log" OR "emaillog" OR "exchange2019" OR "maillog"
 | search NOT ( "final_rule" AND "scanning") 
 | spath final_rule

How's this?