Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EASY QUESTION: How to search for events that produce a field value of zero

cosullivan66
Explorer
‎04-09-2013 12:44 PM

Hi all, wish I could figure this one out myself but I'm stumped. I'm interested in producing a list of all the account IDs that have count(ns2:sessionType=SCHEDULED) = 0. I can produce the following list with this search:

sourcetype="ScreenSharingEvent" | xmlkv | chart count by ns2:accountId ns2:sessionType

ns2:accountId        IMPROMPTU     RECURRING    SCHEDULED

1 545538432972491782 0 0 2

2 1937523452352853511 2 0 5

3 2633426351742639109 7 0 0

I simply want a chart that would list the account with SCHEDULED=0

ns2:accountId

1 2633426351742639109

Thanks for the help!!

Tags (1)
0 Karma
Reply

jdunlea_splunk
Splunk Employee
Splunk Employee
‎04-09-2013 01:02 PM

Assuming that in this case, the xmlkv command is splitting the KVs correctly, you could do this:

sourcetype="ScreenSharingEvent" | xmlkv | search SCHEDULED=0 | chart count by ns2:accountId ns2:sessionType

Reply

cosullivan66
Explorer
‎04-09-2013 01:16 PM

Thanks for the reply, but SCHEDULED is a field value corresponding to the field ns2:sessionType, so I want something like count(ns2:sessionType=Scheduled)=0. However this command doesn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...