https://community.splunk.com/t5/Splunk-Search/Working-with-the-NOT-command/m-p/642738#M222619 <P>There are two ways to do a negative test in SPL - the <FONT face="courier new,courier">NOT</FONT> operator and the <FONT face="courier new,courier">!=</FONT> operator.&nbsp; Each has slightly different syntax and behaves slightly differently.</P><LI-CODE lang="markup">| eval result=if(ExitStatus!=0, "Error", "Success")</LI-CODE><P>The <FONT face="courier new,courier">!=</FONT> operator looks at events that have an ExitStatus field that has a value.&nbsp; Nulls are ignored.</P><LI-CODE lang="markup">| eval result=if(NOT ExitStatus=0, "Error", "Success")</LI-CODE><P>The <FONT face="courier new,courier">NOT</FONT> operator looks at all events, even those that do not have an ExitStatus field.&nbsp; Nulls are included.&nbsp; A null does not match the target value.</P><P>That said, I think you don't need either operator.&nbsp; Just have the pie chart show how many of each ExitStatus there is.</P><LI-CODE lang="markup">| chart count by ExitStatus</LI-CODE><P>If you really want only 2 values displayed then you can normalize the values before charting them.</P><LI-CODE lang="markup">| eval ExitStatus=if(ExitStatus&gt;0, 1, 0) | chart count by ExitStatus</LI-CODE> Tue, 09 May 2023 21:38:57 GMT richgalloway 2023-05-09T21:38:57Z https://community.splunk.com/t5/Splunk-Search/Working-with-the-NOT-command/m-p/642737#M222618 <P>So I am trying to search through some results and I am trying to display the results that ExitStatus=0 which means it ran correctly and ExitStatus=anything else which is not 0, meaning it is an error. I am looking to have a pie chart which it shows either ExitStatus=0 or ExitStatus= NOT 1.&nbsp;</P> Tue, 09 May 2023 20:56:12 GMT https://community.splunk.com/t5/Splunk-Search/Working-with-the-NOT-command/m-p/642737#M222618 jialiu907 2023-05-09T20:56:12Z https://community.splunk.com/t5/Splunk-Search/Working-with-the-NOT-command/m-p/642738#M222619 <P>There are two ways to do a negative test in SPL - the <FONT face="courier new,courier">NOT</FONT> operator and the <FONT face="courier new,courier">!=</FONT> operator.&nbsp; Each has slightly different syntax and behaves slightly differently.</P><LI-CODE lang="markup">| eval result=if(ExitStatus!=0, "Error", "Success")</LI-CODE><P>The <FONT face="courier new,courier">!=</FONT> operator looks at events that have an ExitStatus field that has a value.&nbsp; Nulls are ignored.</P><LI-CODE lang="markup">| eval result=if(NOT ExitStatus=0, "Error", "Success")</LI-CODE><P>The <FONT face="courier new,courier">NOT</FONT> operator looks at all events, even those that do not have an ExitStatus field.&nbsp; Nulls are included.&nbsp; A null does not match the target value.</P><P>That said, I think you don't need either operator.&nbsp; Just have the pie chart show how many of each ExitStatus there is.</P><LI-CODE lang="markup">| chart count by ExitStatus</LI-CODE><P>If you really want only 2 values displayed then you can normalize the values before charting them.</P><LI-CODE lang="markup">| eval ExitStatus=if(ExitStatus&gt;0, 1, 0) | chart count by ExitStatus</LI-CODE> Tue, 09 May 2023 21:38:57 GMT https://community.splunk.com/t5/Splunk-Search/Working-with-the-NOT-command/m-p/642738#M222619 richgalloway 2023-05-09T21:38:57Z