index="aws-cloudtrail" errorCode!=success returns the results I expect, i.e., events that have error codes other than "success".
index="aws-cloudtrail" NOT errorCode=success returns no results at all.
I understand that the != operator implies that field exists in my data, but that does not explain the behavior I am seeing.
Ha! That works.
The string "errorCode=success" does not actually exist in the raw data (which is in JSON). errorCode=success is how Splunk's "syntax highlighting" presents the data. I wonder if Splunk is looking for the string errorCode=success literally when I don't have quotes around it.