Hi,
I am trying to write a query to list events from source type A only when the corresponding event in source type B does not contain a specific event code. I believe the only correlation element here is the _time.
Real scenario: every time we deploy a build, there are some entries in a log file, but IIS server also generate an error event code at that time. I wanted to capture the IIS errors only when there is no build deployment.
Thanks
Thank you for the query. but i tried using transactions it grouped the events but I dont have a way to say
startwith and does not endwith
| transaction host maxspan=2m startswith=(EventCode="5009") NOT (endswith=(EventCode="10003"))
Try a subsearch, something like this:
sourcetype=access_combined NOT
[ search sourcetype=linux_secure
| eval clientip=dest
| fields clientip]
If the fieldnames are the same in each source, you won't need to do the eval that I did in my subsearch. This search above will show all of the clientip field values, within the time frame that I am searching, where those ip addresses aren't in the linux_secure sourcetype in the dest field.
I know this isn't specific to your data sources, but hopefully, you can extrapolate the concept to use in your search.