I am using the search below to shunt "ORA-00001" from a set of log files. This search works fine for just one log file.
index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/sit/camel-audit.log"]
but when I put a wildcard in the where clause, it doesn't work. Could you please help me on how to use wildcard in a where clause?
index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/*/camel-audit.log"]
@ctaf's comment is a good one, but if you insist on using the where
command you can't use wildcards. Try like
, instead.
index=xyz* NOT [search index=xyz* "ORA-00001" | WHERE like(source,"/logs/%/camel-audit.log")]
Notice the like
command uses SQL-style wildcards.
@ctaf's comment is a good one, but if you insist on using the where
command you can't use wildcards. Try like
, instead.
index=xyz* NOT [search index=xyz* "ORA-00001" | WHERE like(source,"/logs/%/camel-audit.log")]
Notice the like
command uses SQL-style wildcards.
thanks! it worked.
Please accept the answer.
Hello,
Why using a where clause?
You could just do:
index=xyz* NOT [search index=xyz* "ORA-00001" source="/logs/*/camel-audit.log"]
And perhaps even simpler:
index=xyz* NOT ("ORA-00001" AND source="/logs/*/camel-audit.log")
thank you .