Hi All

I have created below alert to capture the ERROR LOGS

index=abc ns=blazegateway ERROR |rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)" |eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")|cluster showcount=t t=0.4|table app_name, Error_Message ,cluster_count,_time, env, pod_name,ns|dedup Error_Message | rename app_name as APP_NAME, _time as Time, env as Environment, pod_name as Pod_Name, Error_Message as Error_Message,cluster_count as Count

I am capturing on the basis of Keyword ERROR

But I don't want INTERNAL SERVER TO captured in it. Currently it is capturing INTERNAL_SERVER_ERROR as well as I am fetching on the basis of ERROR keyword

routeId:dmr_file_upload,destinationServiceURL:operation:dmrupload, serviceResponseStatus=Failure, routeResponseHttpStatusCode=500 INTERNAL_SERVER_ERROR, serviceResponseTime(ms)=253

Can someone guide me how to exclude INTERNAL_SERVER_ERROR from my alerts