Solved: Re: how to exclude some index results

rhayle · ‎10-15-2013

If you want to get all the indexes, do this:
eventcount index=* summarize=false

How do I exclude summary, history and main from my index results?
Thanks

somesoni2 · ‎10-15-2013

This works for me.

| eventcount summarize=false index=* index=_* | search NOT (index=main OR index=summary OR index=history)

somesoni2 · ‎10-15-2013

This works for me.

| eventcount summarize=false index=* index=_* | search NOT (index=main OR index=summary OR index=history)

rhayle · ‎10-16-2013

Thanks, this is what I wanted.

| eventcount summarize=false index=* | search NOT (index=main OR index=summary OR index=history)

richgalloway · ‎10-15-2013

Try 'eventcount index=* summarize=false NOT (index=main OR index=summary OR index=history)'

---
If this reply helps you, Karma would be appreciated.

rhayle · ‎10-15-2013

I have try these out as a search and they do not work. Am I missing something?

| eventcount index=* NOT index=main NOT index=history NOT sourcetype=stash summarize=false

| eventcount index=* summarize=false NOT (index=main OR index=summary OR index=history)

yannK · ‎10-15-2013

if you want to search but exclude "exclude summary, history and main"

try
index=* NOT index=main NOT index=history NOT sourcetype=stash

and if you want the internal indexes, add
index=* OR index=_* NOT index=main NOT index=history NOT sourcetype=stash

how to exclude some index results