Hi Guys,
I am trying to do a search and also at the same time drop certain information from showing up.
As seen from the table below , there is this user [ghjkl-hh123-wer56] that shows up.
Can I know what must I do from the search string such that usernames like the above no longer show up?
Please advise.
username | hostname |
user1 | host1 |
user2 | host2 |
ghjkl-hh123-wer56 | host3 |
ghjkl-hh123-wer56 | host4 |
user3 | host4 |
Hope this clarifies
Thank You
regards,
Alex
You can exclude specific username from search using
username!="ghjkl-hh123-wer56"
Or exclude usernames starting with ghjkl
Use username!="ghjkl*"
Exclude multiple usernames use
NOT username IN ("user1" ,"user2")
I don't really understand. Can you show me a example please?
Let's assume you have events with two different fields - A and B
A | B |
1 | 1 |
2 | 2 |
3 | 3 |
1 | |
2 | 1 |
3 | 2 |
1 | 3 |
2 | |
3 | 1 |
Now if you want to search for
A!=1
will give you the same results as
NOT A=1
because the field A has some value in every event.
But if you search for
B!=1
you will only get events which have a value in B field and that value is different than 1.
So you'll only get as results only those events that have B=2 or B=3.
But if you search for
NOT B=1
you will get as results all those events in which the B=1 condition is not fulfilled which means that either B=2, B=3 or there is no value for field B at all.
Just beware that
field!=value
does not have the same meaning as
NOT field=value
The first one will match only if there is a field called "field" within an event and its value is not "value".
The second one will match any event in which there is no field called "field" with value "value", which means it will also match events in which there is no field called "field" whatsoever. The first one wouldn't match those events.