Splunk Search

Show me all events where field value not present?

yepyepyayyooo
New Member

Greetings good people,

i may be over thinking things or didn't get enough sleep. I need to return results where a field value is not present at all (0%) i.e. no event coverage for the given value. Not field but field value. For example.

Let's say we have a field called source_zone and possible values of INT, DMZ, or EXT.

I would like to see all events where there are 0 results for source_zone="EXT". This is not the same as source_zone!="EXT" because that is filtering out the results.

Kindly advise and thanks.

0 Karma

to4kawa
Ultra Champion
your_search
| eventstats count(eval(source_zone="EXT")) as check
| where check < 1

Hi, @yepyepyayyooo
how about this?

0 Karma

mydog8it
Builder

The way I read your question, you want events that have no value in the source_zone field. If that's the case, try something like this:

your_search | where isnull(source_zone)

If you want to get all results that do not equal "EXT", try this:

your_index your_sourcetype source_zone!=EXT
0 Karma

oscar84x
Contributor

Hi. You can try:

index=your_index sourcetype=your_sourcetype NOT source_zone=EXT

As per Splunk best practices, however, inclusion is better than exclusion. So if you have a small number of possible values it might be better to search for all the values you want rather than the one you don't.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Search/NOTexpressions

0 Karma

yepyepyayyooo
New Member

Doesn't this filter out results? I need to see if condition true show me everything else. I need something like

where source_zone value EXT is nonexistent, show me those results
0 Karma

oscar84x
Contributor

From the link I posted above: Searching with NOT - If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.

So unlike !=, it will return events that don't have that value. Not just exclude the ones that have it.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there can be challenging.

Perhaps https://www.duanewaddle.com/proving-a-negative/ will help.

There also NOT source_zone="EXT" which is not the same as source_zone!="EXT".

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...