Could you let me know why the results are not filtered (I hidden sensible data) with | where NOT like (source, "%stimeyesterday%")
| tstats latest(_time) as latest,earliest(_time) as earliest WHERE (index=* AND ...) by host source sourcetype | eval lastevent=strftime(latest, "%Y-%m-%d %H:%M") | eval firstevent=strftime(earliest, "%Y-%m-%d %H:%M")
... | eval timeYesterday=round(relative_time(now(), "-1d@d"))| eval stimeyesterday=strftime(timeYesterday, "%Y-%m-%d") | eval timeRelative=round(relative_time(now(), "@d")) | where latest < timeRelative | eval resultat=if(latest < timeRelative,"KO","OK") | eval stimerel=strftime(timeRelative, "%Y-%m-%d %H:%M") | sort host | fields - latest earliest timeRelative timeYesterdayss | where NOT like(source,"%stimeyesterday%")
Solved by support :
| where NOT like(source,stimeyesterday)
So, in your query, you can use something like, to add the %% around the filter string beforehand:
| eval stimeyesterday="%".strftime(timeYesterday, "%Y-%m-%d")."%"
hey @realsplunk, I do not know what you are trying to achieve you want to filter out
source which has
stimeyesterday keyword? then
| where NOT like(source,"%stimeyesterday%") use
| search NOT source=*stimeyesterday*
let me know if this helps!
which is the field that contains date? if you have a value in
source field then only you can apply this query.
This works vertically not horizontally. pls, explain what table you got and what do you want to exclude.