Re: Trying to ignore a value based on the field

srinivasgowda · ‎05-20-2021

Hello team,

I am trying to ignore the value "Total" if its concurrent Os_type matches "Linux"

Below is what I tried.

|search DataType=Executive_Summary | search OS_Type=Linux AND OS_SubType!=Total
| chart values(Servers_Skipped_Patching) as Skipped values(Servers_Failed_Patching) as Failed values(Servers_Successfully_Patching) as Successful by "OS_Type" "OS_SubType"

However, as I am also getting the value OS_SubType=Total from OS_Type=Windows.

Please let me know how I may ignore the "Total" only from Linux and not from any other OS_Type.

ITWhisperer · ‎05-20-2021

| search OS_Type!=Linux OR OS_SubType!=Total

srinivasgowda · ‎05-20-2021

By using OS_Type!=Linux all other OS_Subtype would be ignore from Linux and by adding OS_Subtype!=Total, Total from all other OS_Type will be ignored. And that is not what I am looking for. I need to ignore only Total coming from OS_Type=Linux

ITWhisperer · ‎05-20-2021

Did you try it?

There is an OR so if the OS_Type is not Linux it will get found no matter what the OS_Subtype, or if the OS_Type is Linux, then it will only be found if the OS_Subtype is not Total.

OS_Type	OS_Subtype	Found by search
Linux	Total	No
Linux	Not Total	Yes (OS_Subtype != Total)
Not Linux	Total	Yes (OS_Type != Linux)
Not Linux	Not Total	Yes (OS_Type != Linux)

Is this not what you want?

Trying to ignore a value based on the field

eval

search job inspector

stats

subsearch

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?