Splunk Search

Find records with a certain field defined

ibmbaranski
Engager

I'm looking for records that have a "user_email" field defined and not equal to "unauthenticated"

 

How do I do this:

 

search index=xyz sourcetype=abc (NOT user_email=unauthenticated AND user_email=*)

This does not appear to be working - I get loads of records with no user_email field defined?

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this:

search index=xyz sourcetype=abc user_email=* NOT user_email=unauthenticated

AND is implied in the search

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this:

search index=xyz sourcetype=abc user_email=* NOT user_email=unauthenticated

AND is implied in the search

codebuilder
SplunkTrust
SplunkTrust

Simple yet elegant solution. Love it!

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...