Hi community,
i have the following tstats output
"| tstats count WHERE fromzone="*INTRANET*" index=*_*_* by index source getport"
The getport field is for different indexes always 5 digits long for e.g. (index A has Port 22001, index B has 25003, index C has 35002)
Now i want to filter out all field values from the field getport without the "1" at the end.
Thanks for your help!
Are you looking for this?
YOUR_SEARCH
| search getport!="*1"
OR
YOUR_SEARCH
| regex "getport"!="\d{4}1"
KV
It, works
thanks
Are you looking for this?
YOUR_SEARCH
| search getport!="*1"
OR
YOUR_SEARCH
| regex "getport"!="\d{4}1"
KV