Skip to main content
Sumo Logic

1.4 You want to look for authorization failures, not including router messages

Problem

You want to match log messages containing one pattern, but ignore log messages that match another pattern.

Solution

Use the Boolean NOT operator in query like this:

auth* AND (fail* OR error) NOT _sourceCategory=routers

Discussion

Remember that Boolean expressions are processed in left to right order except that parentheses override the precedence. In this example, the query looks for log messages that contain either fail* or error, then ignores the message if it does not contain auth*. If the message has not been ignored by these rules, it will be ignored if its _sourceCategory is "routers." Notice that AND is implied before NOT.