This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Eliminate users in Report

RenatoGoncalves
Beginner
Beginner

‎2017-11-20 12:13 PM

Hello,

In need to eliminate some users in results from some reports.

I used de != expression but it didn't work.

Im using this rules: "event.type exists && user.dst exists && user.dst != 'user\things && user.dst != 'things\General' && lc.cid = '1' || lc.cid = '22' and the reports only eliminates the first user

 

What can i do to remove both users?

 

Thanks

0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-11-20 02:27 PM

Order of operations is very important. Try something like this (notice the parenthesis):

 

event.type exists && user.dst exists && (user.dst != 'VC.LOCAL\rsa-vcenter-logs' && user.dst != 'VC.LOCAL\General') && (lc.cid = 'inf-logcollector01' || lc.cid = 'inf-logcollector02')

 

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.