Skip to main content
Sumo Logic

1.4 You want to look for authorization failures, not including router messages


You want to match log messages containing one pattern, but ignore log messages that match another pattern.


Use the Boolean NOT operator in query like this:

auth* AND (fail* OR error) NOT _sourceCategory=routers


Remember that Boolean expressions are processed in left to right order except that parentheses override the precedence. In this example, the query looks for log messages that contain either fail* or error, then ignores the message if it does not contain auth*. If the message has not been ignored by these rules, it will be ignored if its _sourceCategory is "routers." Notice that AND is implied before NOT.