We use Seq to find valuable insights in the vast sea of our structured log messages. While the search usually works straightforward without any surprises, this time we run into a minor problem.
We wanted to find all log messages where property FieldX did not match a specific value. Therefore, we appended this clause to our search:
|
1 |
... AND FieldX <> 'abc' |
It seemed to work, and we no longer got any messages that had ‘abc’ in the FieldX. It took us a while to notice that we missed a lot of messages. If the message did not have a property FieldX in the first place, it did not show up either. That was not what we had in mind, even when that was exactly what we defined.
Since there is no way to write OR FieldX is missing, we need to take a detour over the @Properties collection of the event itself. There we find all the event properties and we can check if our property is in that list.
To get all the messages without FieldX and only those with FieldX that do not have ‘abc’ in them, we need to change the search query to this:
|
1 |
... AND ( FieldX <> ‘abc’ OR FieldX not in @Properties ) |
While tracking down this solution I found the immensely helpful Seq Cheat Sheets. Should you have any questions about search in Seq, you should consult these 5 pages right away.