The goal is to take all eventIds with "operation failed" and exclude events with "Duplicate key" and "Event processed successfully": index="idx" "Transaction failed" | table eventId | dedup eventId | search NOT [search index="idx" "Duplicate key" | table eventId ] | search NOT [search index="idx" "Event processed successfully" | table eventId ] But for some reason the last NOT subquery doesn't exclude the events which processed successfully: | search NOT [search index="idx" "Event processed successfully" | table eventId ]
Hi @usarios,
let me inderstand there could be eventId with only one message or the same eventId could have different messages in different events?
if the second you could run something like this:
index="idx" ("Transaction failed" OR "Duplicate key" OR "Event processed successfully")
| eval message=case(searchmatch("Transaction failed"),"Transaction failed", searchmatch("Duplicate key"),"Duplicate key",searchmatch("Event processed successfully","Event processed successfully")
| stats dc(message) AS message_count values(message) AS message BY eventId
| where message_count=1 AND message="Transaction failed"
| table eventId
Ciao.
Giuseppe
Hi @usarios,
let me inderstand there could be eventId with only one message or the same eventId could have different messages in different events?
if the second you could run something like this:
index="idx" ("Transaction failed" OR "Duplicate key" OR "Event processed successfully")
| eval message=case(searchmatch("Transaction failed"),"Transaction failed", searchmatch("Duplicate key"),"Duplicate key",searchmatch("Event processed successfully","Event processed successfully")
| stats dc(message) AS message_count values(message) AS message BY eventId
| where message_count=1 AND message="Transaction failed"
| table eventId
Ciao.
Giuseppe
Grazie, Giuseppe.
Yes, that works for me!
Ciao