I was executing my search on a log file.
This is the pattern i want to search ** END ABCD234** hour>00 where this shouldn't be searched on several host(servers).
The host that needs to be ignored can be identified by this pattern "DISABLE" "END" hour>00
Here, hour is a field extracted from timestamp (Example:01:15:38- here 01 was extracted).
Please let me know if more info needed.
looks like do-able task....
yes, more info needed please..
If "DISABLE" is the keyword that need to be ignored, then specify this before the hour field.
index=idx END NOT "DISABLE" | where hour>00. If this is not what you're looking for, then please provide sample events which has these keywords.
It seems like you want to search which has
END ABCD234 hour>00 as pattern (event 1) but does not have
DISABLE END hour>00 (separate event 2). If that's the case, you can try something like this
index=yourindex sourcetype=yoursourcetype END ABCD234 hour>00 NOT [search index=yourindex sourcetype=yoursourcetype DISABLE END hour>00 | stats count by host | table host ]
The subsearch would exclude all the hosts that have
DISABLE END hour>00 events, from the main search result.
@jeevananm06 if your issue is resolved do accept this answer to mark your question as answered!