This is the line in my log file.I want to get all searchTerms that do not have a value for PAMapped
2012-10-29 11:20:21,711 - searchTerm=speeding&location=Soperton%2C+GA&PAMapped=
This is the search I gave.
index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" NOT PAMapped=* earliest=-1mon@mon
But it does not return all instances. It returns only one.
I could use eval to map it to a variable is the value is null
index=savvis-varnish source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" earliest=-0mon@mon| eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped))
But now how do I use eval to display only those log lines that have Practice_Area="Not Mapped"
Tried, No result.
Tried, No result. I saw that there is isnull function with eval ? Do you know how to use that.
Try this with no spaces
PAMapped=""
Tried this too, with no result:
index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped='' earliest=-1mon@mon
I tried
index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped!=* earliest=-1mon@mon
but did not return any result.
Try this search instead:
index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped!=* earliest=-1mon@mon
The !=
operator can be better for this sort of thing.