I have 2 type of search messages - Problem #1 Problem #5 and other one goes like this - Solved problem_id successful: 1 Solved problem_id successful: 2 Solved problem_id successful: 3 I want to return Problems which have not been solved yet. So in the above case it should result with 5 only. What I tried : Search1 ==> index="production" "Problem #" earliest=-3h latest=-1h | rex field=message ".*Problem #(?<problem_id>.*):.*" | stats count by problem_id |table problem_id Extracting all Problem Ids(works fine) Search 2==> search index="production" "Solved problem_id successful:" earliest=-3h | rex field=message ".*Solved problem_id successful: (?<problem_id>.*)" | stats count by problem_id |table problem_id Extracting all problem ids which have been solved. (works fine ) Now to find problems which are not solved --> search1 | search not [search2] index="production" "Problem #" earliest=-3h latest=-1h | rex field=message ".*Problem #(?<problem_id>.*):.*" | stats count by problem_id |table problem_id | search NOT [search index="production" "Solved problem_id successful: " earliest=-3h | rex field=message ".*Solved problem_id successful: (?<problem_id>.*)" | stats count by problem_id |table problem_id ] Now above query doesn't work and for some reason just returns the result from search1. It seems not is not working for some reason. Thanks in advance. PS: I have modified the queries little bit on the fly to remove sensitive info.
... View more
