The goal is to take all eventIds with "operation failed" and exclude events with "Duplicate key" and "Event processed successfully":
index="idx" "Transaction failed"
| table eventId
| dedup eventId
| search NOT [search index="idx" "Duplicate key"
| table eventId ]
| search NOT [search index="idx" "Event processed successfully"
| table eventId ]
But for some reason the last NOT subquery doesn't exclude the events which processed successfully:
| search NOT [search index="idx" "Event processed successfully"
| table eventId ]
... View more