If I wanted to run a search for for a field that has any other field other than 0 ie "File Infections: 0", if I wanted to run a search to see if there has been any infections so the value would be anything other than 0/ How would I do this?

Second question. I wanted to see a table of all domains visited bit only to the FQDN and not with any sub-directories or dynamic contact how would I do this?


Splunk Employee

If you have the "File Infections" value extracted as a field you could simple search like this:

... fileInfections != 0 | ...

Field Extractions: http://docs.splunk.com/Documentation/Splunk/latest/User/ExtractNewFields

Note that this search finds events where the fileInfections field exists, but has a value other than zero. So, it won't find events that do not have the fileInfections field at all. If you want to find those events as well, you would do ... NOT fileInfections = 0 | ...

