Solved: Help searching with not

astatrial · ‎10-29-2019

Hi all,
For some reason, my search doesn't work properly.
The search is as the one below:

....| search NOT (x=3 AND b=3)

Instead of excluding events with both the conditions in the parentheses, it does: not x=3 or not b=3

Can someone help me achieve what I am trying to do?

Thanks

kamlesh_vaghela · ‎10-30-2019

@astatrial

I think your provided search | search NOT (x=3 AND b=3) should work.

check:

| makeresults count=10 | eval x=1 | accum x | eval b=3 | search NOT (x=3 AND b=3)

OR

Try

| where NOT (x=3 AND b=3)

Check:

| makeresults count=10 | eval x=1 | accum x | eval b=3 | where NOT (x=3 AND b=3)

If both ways are not working then we are expecting types of both fields and sample data OR screenshots of them. You can use the below search for type.

| makeresults count=10 | eval x=1 | accum x | eval b=3  | eval x_t=typeof(x),b_t=typeof(b)

Thanks

View solution in original post

FrankVl · ‎10-30-2019

NOT (x=3 AND b=3) is indeed equivalent to not x=3 or not b=3, as per De Morgan's law: https://en.wikipedia.org/wiki/De_Morgan%27s_laws

If at least one of the two fields is not equal to 3, the event will be included.

b=1, x=2 -> included
b=3, x=2 -> included
b=2, x=3 -> included
b=3, x=3 -> not included

The alternative would be x!=3 AND b!=3. Which, again by De Morgan's law, is actually equivalent to NOT (x=1 OR b=3) which @gaurav_maniar mentioned in his answer. This gives you all events where none of the 2 fields equals 3.

b=1, x=2 -> included
b=3, x=2 -> not included
b=2, x=3 -> not included
b=3, x=3 -> not included

Which one is correct really depends on what you're after. Can you give a few example events and desired output and also an example of the output you get right now that is not according to your needs? Perhaps we're misunderstanding what you are actually after?

This stuff can be a bit tricky to wrap your head around. You might want to find some boolean logic tutorials or so online, to brush up on these concepts 🙂

astatrial · ‎10-30-2019

I think i had problems with the condition itself.
I had a path inside and didn't use "\".

Thanks all !

kamlesh_vaghela · ‎10-30-2019

@astatrial

I think your provided search | search NOT (x=3 AND b=3) should work.

check:

| makeresults count=10 | eval x=1 | accum x | eval b=3 | search NOT (x=3 AND b=3)

OR

Try

| where NOT (x=3 AND b=3)

Check:

| makeresults count=10 | eval x=1 | accum x | eval b=3 | where NOT (x=3 AND b=3)

If both ways are not working then we are expecting types of both fields and sample data OR screenshots of them. You can use the below search for type.

| makeresults count=10 | eval x=1 | accum x | eval b=3  | eval x_t=typeof(x),b_t=typeof(b)

Thanks

astatrial · ‎10-30-2019

Hi,
Thanks, it appeared that the logic was ok but instead the problem was with the condition with the file path (that was lacked double back slashes).

Any way, i will accept the answer as it helped me realize that the logic was ok.

Thanks again.

woodcock · ‎10-29-2019

It should work but try this:

....| search x!=3 OR b!=3

astatrial · ‎10-29-2019

I want to exclude events with both my terms, means if both x=3 and b=3 than the event will be excluded.

gaurav_maniar · ‎10-29-2019

hi,

try | search NOT (x=1 OR b=3), this will give you the desired results.

accept & up-vote the answer if it helps.

astatrial · ‎10-29-2019

I need both terms to exist, so this is not exactly what i need.

Help searching with not

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...