https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45860#M10933 <P>I stand corrected. Thanks!</P> Thu, 17 Feb 2011 15:47:32 GMT Ayn 2011-02-17T15:47:32Z https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45854#M10927 <P>so i have a log which has column/field which will be populated with "Y" if there is an ERROR, feild name is ERROR_FLAG and will be blank if there is no ERROR.</P> <P>how do i calculate rows where this FIELD is non-existant or blank ?</P> <P>alternatively, how do i subtract ERROR_FEILD="Y" Count from Total Row count to get me this data.. all has to be done in real time.</P> Thu, 17 Feb 2011 04:23:04 GMT https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45854#M10927 ashishv 2011-02-17T04:23:04Z https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45855#M10928 <P>I think it will be easier to answer your question if you can provide us with some sample events. Once you have a working field extraction, the rest should pose no problems. If you've successfully extracted the field using name "error_field" for instance, you would just have to do</P> <PRE><CODE>error_field!="Y" </CODE></PRE> <P>I'm unsure what you mean by that it has to be done in real time. The field extractions will work on any search, regardless of what time range you choose (including real-time).</P> Thu, 17 Feb 2011 05:04:11 GMT https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45855#M10928 Ayn 2011-02-17T05:04:11Z https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45856#M10929 <P>Not-Exist OR blank is a bit tricky. Try </P> <PRE><CODE>(ERROR="" OR NOT ERROR="*") </CODE></PRE> Thu, 17 Feb 2011 05:05:24 GMT https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45856#M10929 jrodman 2011-02-17T05:05:24Z https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45857#M10930 <P>Oh, Ayn's solution is superior if it is really precisely as you describe.</P> Thu, 17 Feb 2011 05:05:54 GMT https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45857#M10930 jrodman 2011-02-17T05:05:54Z https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45858#M10931 <P>Calculating non-existent or blank can be done like this:</P> <PRE><CODE>... NOT ERROR_FLAG=* </CODE></PRE> <P>To count the rows where the field is not Y, including blank or missing:</P> <PRE><CODE>... NOT ERROR_FLAG="Y" | stats count </CODE></PRE> <P>NOTE: Using "<CODE>&lt;field&gt;!=&lt;value&gt;</CODE>" will not account for missing or empty fields. You should use the "<CODE>NOT &lt;field&gt;=&lt;value&gt;</CODE>" syntax.</P> Thu, 17 Feb 2011 05:16:58 GMT https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45858#M10931 Ron_Naken 2011-02-17T05:16:58Z https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45859#M10932 <P>This method will not account for blank values or a missing field. See my answer to account for these.</P> Thu, 17 Feb 2011 05:21:14 GMT https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45859#M10932 Ron_Naken 2011-02-17T05:21:14Z https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45860#M10933 <P>I stand corrected. Thanks!</P> Thu, 17 Feb 2011 15:47:32 GMT https://community.splunk.com/t5/Splunk-Search/how-to-count-rows-with-lack-of-field/m-p/45860#M10933 Ayn 2011-02-17T15:47:32Z