Archive

expression help, everything but X

New Member

If I had the following content to search through how can I get a search to provide the results for all except the "x2". Example just lists 3 to give an example of statement structure I'm searching for, there are unknown number of X. And I need to search for the entire phrase because "xx" mention in several places in the log.

All x1 go to heaven
All x2 go to heaven
All x3 go to heaven

Thanks all.

Tags (2)
0 Karma

Motivator

Sounds to me like you want to see which users have logged in. I suggest doing a field extraction so that you can then do some stats on the usernames.

Try this:

"login by user * was successful" | rex "login by user (?<user>\S+) was successful" | stats count by user

this will give you a nice table with the number of successful logins per user. Instead of doing this extraction with rex in the actual search, you can also create an automatic search time extraction using the IFX or by manually editing the config files.

To filter out the known users you may not want to see, adjust the search as follows:

"login by user * was successful" | rex "login by user (?<user>\S+) was successful" | search (user!=bsimpson OR user!=hsimpson) | stats count by user
0 Karma

Communicator

I might still be confused by your question.

Based on what I think you are looking for, mloven's suggestion of using "not" is correct. You can use a query like the following:

sourcetype="access_combined" NOT (bsimpson OR hsimpson)

or

sourcetype="access_combined" user!="bsimpson" user!="hsimpson"

If you are interested in only seeing the unique users who have logged in, I would suggest you look into the "dedup" command. The wording of your question is a little confusing to me, but I think this may also be of use to you.

PS: You should use the "comment on this answer" link to comment on posts, rather than submitting a new answer each time. Just for future reference 🙂

0 Karma

New Member

sorry my example wasn't clear.
Say I'm log has the following entries:

login by user bsimpson was successful
login by user msimpson was successful
login by user hsimpson was successful

On and on with an unknown number of users ids.

I can search for login by user "*" was successful and get 727 events
By searching on the above I know how many events I have for each simpson, but only because I know the user IDs to look for.

I want to see all events for users other than hsimpson or bsimpson so I can see what other user IDs have logged in.

That make sense...?

0 Karma

Path Finder

thinguy,

I'm not entirely sure I understand what you're asking for, so, if I'm way off on my answer, let me know. If you're just looking for a way to search, while excluding entries with "x2" in them, you could just search for:

NOT 'All x2 go to heaven'

If you need to weed out other entries that don't meet the 'All x? go the heaven' format, you could do:

'go to heaven' NOT 'All x2 go to heaven'

Hopefully that'll work for you.

0 Karma

New Member

Or better yet if I could do a report or graph that would list all of the different x1-x50 that exist.

0 Karma