Dear experts Basic idea of what I try to do: the results of a search should be filtered in a way, that only data points are displayed which are not part of a "Blacklist" maintained as lookup table. ...
See more...
Dear experts Basic idea of what I try to do: the results of a search should be filtered in a way, that only data points are displayed which are not part of a "Blacklist" maintained as lookup table. The challenging thing is, there are 3 columns at the same time to be taken into account for filtering. After a lot of trials, I ended up in creating a key from the 3 columns (which is unique) and then filter on the key. It is working, I just don't understand why :-(. Question: Has anybody an idea why the Version 1 filter works, and why Version 2 filter fails? Question: What needs to be changed to get Version 2 also to work? index="pm-azlm_internal_prod_events" sourcetype="azlmj"
| strcat ocp "_" fr "_" el unique_id
| table _time ocp fr el unique_id d_1
| search d_1="DEF ges AZ*"
``` VERSION 1: the working one ```
``` As long the subsearch returns a table with the column unique_id ```
``` which is exactly the name of the column I want to filter on, all works great.```
| search NOT [| inputlookup pm-azlm-aufschneidmelder-j
| strcat ocp "_" fr "_" sec unique_id
| table unique_id]
``` VERSION 2: NOT working ```
``` As soon I change the name of the column in the subsearch, the filte won't work anymore```
| search NOT [| inputlookup pm-azlm-aufschneidmelder-j
| strcat ocp "_" fr "_" sec ignore
| table ignore]```
| timechart span=1d limit=0 count by unique_id And the final question: is there a way for such filtering without going through the key creation? Thank you in advance.