Greetings good people,
i may be over thinking things or didn't get enough sleep. I need to return results where a field value is not present at all (0%) i.e. no event coverage for the given value. Not field but field value. For example.
Let's say we have a field called source_zone and possible values of INT, DMZ, or EXT.
I would like to see all events where there are 0 results for source_zone="EXT". This is not the same as source_zone!="EXT" because that is filtering out the results.
Kindly advise and thanks.
your_search
| eventstats count(eval(source_zone="EXT")) as check
| where check < 1
Hi, @yepyepyayyooo
how about this?
The way I read your question, you want events that have no value in the source_zone field. If that's the case, try something like this:
your_search | where isnull(source_zone)
If you want to get all results that do not equal "EXT", try this:
your_index your_sourcetype source_zone!=EXT
Hi. You can try:
index=your_index sourcetype=your_sourcetype NOT source_zone=EXT
As per Splunk best practices, however, inclusion is better than exclusion. So if you have a small number of possible values it might be better to search for all the values you want rather than the one you don't.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Search/NOTexpressions
Doesn't this filter out results? I need to see if condition true show me everything else. I need something like
where source_zone value EXT is nonexistent, show me those results
From the link I posted above: Searching with NOT - If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.
So unlike !=, it will return events that don't have that value. Not just exclude the ones that have it.
Finding something that is not there can be challenging.
Perhaps https://www.duanewaddle.com/proving-a-negative/ will help.
There also NOT source_zone="EXT"
which is not the same as source_zone!="EXT"
.