Hello,
Here's my search:
index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query
Why do they use AND NOT 1=0 here? Even without this the results are same. I just want to know why do they use this.
Any help would be appreciated!
Thankyou
Let me speculate😉. This is perhaps from a dashboard that opens like such
index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$
1=0 is assigned to exclude_tok as a catchall.
There's not much point in this condition. Where did you get that?
And 'dis_name IN ("*")' can be simply written as dis_name=*.
Let me speculate😉. This is perhaps from a dashboard that opens like such
index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$
1=0 is assigned to exclude_tok as a catchall.
Makes perfect sense. 🙂