topic Re: EASY QUESTION: How to search for events that produce a field value of zero in Splunk Search

EASY QUESTION: How to search for events that produce a field value of zero

cosullivan66 — Tue, 09 Apr 2013 19:44:47 GMT

Hi all, wish I could figure this one out myself but I'm stumped. I'm interested in producing a list of all the account IDs that have count(ns2:sessionType=SCHEDULED) = 0. I can produce the following list with this search:

sourcetype="ScreenSharingEvent" | xmlkv | chart count by ns2:accountId ns2:sessionType

ns2:accountId        IMPROMPTU     RECURRING    SCHEDULED

1 545538432972491782 0 0 2

2 1937523452352853511 2 0 5

3 2633426351742639109 7 0 0

I simply want a chart that would list the account with SCHEDULED=0

ns2:accountId

1 2633426351742639109

Thanks for the help!!

Re: EASY QUESTION: How to search for events that produce a field value of zero

jdunlea_splunk — Tue, 09 Apr 2013 20:02:59 GMT

Assuming that in this case, the xmlkv command is splitting the KVs correctly, you could do this:

sourcetype="ScreenSharingEvent" | xmlkv | search SCHEDULED=0 | chart count by ns2:accountId ns2:sessionType

Re: EASY QUESTION: How to search for events that produce a field value of zero

cosullivan66 — Tue, 09 Apr 2013 20:16:22 GMT

Thanks for the reply, but SCHEDULED is a field value corresponding to the field ns2:sessionType, so I want something like count(ns2:sessionType=Scheduled)=0. However this command doesn't work.