I'm attempting to remove some elements from a search. After reading some answers, next was born:
index=domain_ctrl_nmb* NOT
[ search index=servers_list
| dedup host_name
| fields host_name
| rename user as host
| table host ]
| where (match(host, "^[a-zA-Z]{1}[a-zA-Z0-9-._]{1,30}$"))
| dedup host
| table host
domain_ctrl_nmb* - it means that there are indexes domain_ctrl_nmb001 , domain_ctrl_nmb002, domain_ctrl_nmb003...
search seems pretty obvious, but, in order to verify the result, I've run the subsearch independently and compared its results with the main search and found out there are some common values.
Am I doing the search correct?
... View more