I created the following search query to cross search for users who successfully log in to a website and also received an email from a
specific sender (at the bottom), and I'm trying to filter out a few states. If I remove the | search state!=PA state!=OH state!=10 section the query runs and I see users logging in from both the US and outside the US.
However, with the | search state!=PA state!=OH state!=10 section in the search, my search is limited to only US based countries and countries outside the US are no longer listed in the results.
How can I return all countries and exclude a few states? I think my query isn't taking the fact that some countries do not have a state associated with them.
index=xxx url="https://xxx.xxx.xxx NOT (x* OR x.y.* OR x.y.* OR x.y.* OR x.y.*) [search index=xxx SenderAddress="email@example.com" |dedup user | fields user] | geoip "src_ip" | rename "src_ip"_latitude as "lat" | rename "src_ip"_longitude as "long" | rename "src_ip"_country_code as "country" | rename "src_ip"_region_name as "state" | table _time user country state src_ip