Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EASY QUESTION: How to search for events that produce a field value of zero

cosullivan66
Explorer
‎04-09-2013 12:44 PM

Hi all, wish I could figure this one out myself but I'm stumped. I'm interested in producing a list of all the account IDs that have count(ns2:sessionType=SCHEDULED) = 0. I can produce the following list with this search:

sourcetype="ScreenSharingEvent" | xmlkv | chart count by ns2:accountId ns2:sessionType

ns2:accountId        IMPROMPTU     RECURRING    SCHEDULED

1 545538432972491782 0 0 2

2 1937523452352853511 2 0 5

3 2633426351742639109 7 0 0

I simply want a chart that would list the account with SCHEDULED=0

ns2:accountId

1 2633426351742639109

Thanks for the help!!

Tags (1)
0 Karma
Reply

jdunlea_splunk
Splunk Employee
Splunk Employee
‎04-09-2013 01:02 PM

Assuming that in this case, the xmlkv command is splitting the KVs correctly, you could do this:

sourcetype="ScreenSharingEvent" | xmlkv | search SCHEDULED=0 | chart count by ns2:accountId ns2:sessionType

Reply

cosullivan66
Explorer
‎04-09-2013 01:16 PM

Thanks for the reply, but SCHEDULED is a field value corresponding to the field ns2:sessionType, so I want something like count(ns2:sessionType=Scheduled)=0. However this command doesn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...