I'm looking for records that have a "user_email" field defined and not equal to "unauthenticated"
How do I do this:
search index=xyz sourcetype=abc (NOT user_email=unauthenticated AND user_email=*)
This does not appear to be working - I get loads of records with no user_email field defined?
Try something like this:
search index=xyz sourcetype=abc user_email=* NOT user_email=unauthenticated
AND is implied in the search
Try something like this:
search index=xyz sourcetype=abc user_email=* NOT user_email=unauthenticated
AND is implied in the search
Simple yet elegant solution. Love it!