Splunk Search

Data Extraction in Search Form

New Member

Here is what I have -

2010-10-05T12:37:55-05:00 xxx.xxx.xxx.xxx [lpr.info] SERVERNAME: Scan ID: 1283612407,Begin: 2010-09-04 15:00:03,End: 2010-09-04,Completed,Duration (seconds): 196,User1: username,User2: username,"Scan started on selected drives and folders and all extensions.","Scan Complete: Risks: 0 Scanned: 1012 Files/Folders/Drives Omitted: 0",Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1012,Omitted: 0,Computer: computername,IP Address: xxx.xxx.xxx.xxx,Domain: domainname,Server: servername

I want to run a query where Risks, Threats, or Infected are greater than 0.

(Scan Complete:) AND (Risks: <0) OR (Threats: <0) OR (Infected: <0)

The problem I'm having is that I do not know how to get "<0" into the query.

Any assistance is much appreciated.

Tags (1)
0 Karma

New Member

Yeah, I saw that after I posted. Total typo on my part.

0 Karma

Splunk Employee
Splunk Employee

also since you want greater then zero you want foo>0

0 Karma

Splunk Employee
Splunk Employee

Do these fields get extracted? Scan Complete, Risks, Threats, Infected? If yes you can try: Try:

<your search> | WHERE Risks > 0 AND Infected > 0 ...etc..

If these fields do not get extracted then you can try something like:

<your search> NOT ("Scan Complete:" OR "Risks: 0") ..etc...

Hope this helped.

0 Karma

Splunk Employee
Splunk Employee

Yay! 😉 - You're welcome!

0 Karma

New Member

They do not get extracted, so using -

"Scan Complete:" NOT ("Risks: 0" OR "Threats: 0" OR "Infected: 0")

Gave me just what I was looking for.

Much appreciated, Genti.

0 Karma