Re: How to return which input values did not retur...

onelasttime · ‎11-07-2021

I have a list of identifers I need to query splunk for results for, and then display the identifiers that Splunk didn't find any results for. Can someone point me in the right direction on how to accomplish this in a single search?

gcusello · ‎11-07-2021

Hi @onelasttime,

as @richgalloway said, Splunk lists only the results it found so to have also the not found values you have to add them.

The way to do this depends on the kind of objects to search; e.g. if you have to identify the hosts that disn't received logs, you could create a lookup (called e.g. perimeter.csv) containing the field to search (e.g. host) and then run a search like this:

index=your_index
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total By host
| where total=0

So, when you speak of "a list of identifiers" are you speaking of strings to find in the full events (_row) or values of a field?

If values of a field, you could use the same approach od my sample, if instead you're meaning of strings to search in the full events (_row) is just a little more complicated.

Ciao.

Giuseppe

richgalloway · ‎11-07-2021

See this blog entry for a good write-up on how to do that.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.

How to return which input values did not return results in a splunk query

count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation