Greetings good people,
i may be over thinking things or didn't get enough sleep. I need to return results where a field value is not present at all (0%) i.e. no event coverage for the given value. Not field but field value. For example.
Let's say we have a field called source_zone and possible values of INT, DMZ, or EXT.
I would like to see all events where there are 0 results for source_zone="EXT". This is not the same as source_zone!="EXT" because that is filtering out the results.
Kindly advise and thanks.
The way I read your question, you want events that have no value in the source_zone field. If that's the case, try something like this:
your_search | where isnull(source_zone)
If you want to get all results that do not equal "EXT", try this:
your_index your_sourcetype source_zone!=EXT
Hi. You can try:
index=your_index sourcetype=your_sourcetype NOT source_zone=EXT
As per Splunk best practices, however, inclusion is better than exclusion. So if you have a small number of possible values it might be better to search for all the values you want rather than the one you don't.
From the link I posted above: Searching with NOT - If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.
So unlike !=, it will return events that don't have that value. Not just exclude the ones that have it.
Finding something that is not there can be challenging.
Perhaps https://www.duanewaddle.com/proving-a-negative/ will help.
NOT source_zone="EXT" which is not the same as