Solved: Why am I getting error "Regex: invalid UTF-8 strin...

rescobar713 · ‎06-08-2015

I'm trying to filter out events from a search based on a list of strings retrieved from the results of another search, like this:

... NOT [search ... | dedup title | eval title=substr(title, 5) | fields title]

However, I keep getting a Regex: invalid UTF-8 string error.

Is my syntax incorrect? Should I be going about this a different way?

Let me know if I can provide any additional information to help.

rescobar713 · ‎06-08-2015

I figured it out. Instead of using NOT I did this:

... | where ![search ... | dedup title | eval title=substr(title, 5) | fields title]

rescobar713 · ‎06-08-2015

I figured it out. Instead of using NOT I did this:

... | where ![search ... | dedup title | eval title=substr(title, 5) | fields title]

woodcock · ‎06-08-2015

I do not understand the error but you can do it like this and probably bypass the error:

... | dedup title | eval title=substr(title, 5) | fields title | map search="NOT $title$"

Why am I getting error "Regex: invalid UTF-8 string" trying to filter events based on string results from a subsearch?