If I had the following content to search through how can I get a search to provide the results for all except the "x2". Example just lists 3 to give an example of statement structure I'm searching for, there are unknown number of X. And I need to search for the entire phrase because "xx" mention in several places in the log.
All x1 go to heaven All x2 go to heaven All x3 go to heaven
Sounds to me like you want to see which users have logged in. I suggest doing a field extraction so that you can then do some stats on the usernames.
"login by user * was successful" | rex "login by user (?<user>\S+) was successful" | stats count by user
this will give you a nice table with the number of successful logins per user. Instead of doing this extraction with rex in the actual search, you can also create an automatic search time extraction using the IFX or by manually editing the config files.
To filter out the known users you may not want to see, adjust the search as follows:
"login by user * was successful" | rex "login by user (?<user>\S+) was successful" | search (user!=bsimpson OR user!=hsimpson) | stats count by user
I might still be confused by your question.
Based on what I think you are looking for, mloven's suggestion of using "not" is correct. You can use a query like the following:
sourcetype="access_combined" NOT (bsimpson OR hsimpson)
sourcetype="access_combined" user!="bsimpson" user!="hsimpson"
If you are interested in only seeing the unique users who have logged in, I would suggest you look into the "dedup" command. The wording of your question is a little confusing to me, but I think this may also be of use to you.
PS: You should use the "comment on this answer" link to comment on posts, rather than submitting a new answer each time. Just for future reference 🙂
sorry my example wasn't clear.
Say I'm log has the following entries:
login by user bsimpson was successful login by user msimpson was successful login by user hsimpson was successful
On and on with an unknown number of users ids.
I can search for login by user "*" was successful and get 727 events
By searching on the above I know how many events I have for each simpson, but only because I know the user IDs to look for.
I want to see all events for users other than hsimpson or bsimpson so I can see what other user IDs have logged in.
That make sense...?
I'm not entirely sure I understand what you're asking for, so, if I'm way off on my answer, let me know. If you're just looking for a way to search, while excluding entries with "x2" in them, you could just search for:
NOT 'All x2 go to heaven'
If you need to weed out other entries that don't meet the 'All x? go the heaven' format, you could do:
'go to heaven' NOT 'All x2 go to heaven'
Hopefully that'll work for you.