thank you for the reply but this won't help completely in my case. I need to check for each id if it has a log with message 1 and does not have a log with message 2.
... View more
Suppose I have logged data with certain fields like id, level, message etc.
Ex:
id:123
level:warn
Message:xyz task is being performed(msg1)
I need to find all logs which have the above message logged but should not have gone through a log with message 'abc task is being performed'(msg2)
So what I was trying to do was first get all id which have msg1 then use a subsearch to search for each of those ids NOT (msg2) is found. But it isn't working and I even tried:
fields id | map search=" search sourcetype=default_abc id=* NOT "abc task is being performed" "
Sorry, I am new to this so I might be wrong with understanding a lot of it.
... View more
Sorry for the vague description of data but actually this data cannot be exposed.
They are mainly comma separated values in the middle of which we have language code,country code.
They are somewhere in the middle of _raw.
Ex: 324724588,nhiden-niuen-jkjl,en,us,6484-47934......,...
... View more
actually in the data it isn't necessary for the country to be preceded by 'en' which is why I was facing issues.
Is there any way to look for strings like ",us," or ",jp,"? Regex or rex expression for looking in _raw?
... View more
In the logged data:
....,en,us,....(one record)
....,en,in,.....(another record)
(Here .... represents string data)
I need to extract 'us' and 'in' from _raw from each log.
rex field = _raw "(?:us?[^,]+)"
This is erroneous but it will be great if someone can help out.
... View more