Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Show me all events where field value not present?

yepyepyayyooo
New Member
‎12-30-2019 06:04 AM

Greetings good people,

i may be over thinking things or didn't get enough sleep. I need to return results where a field value is not present at all (0%) i.e. no event coverage for the given value. Not field but field value. For example.

Let's say we have a field called source_zone and possible values of INT, DMZ, or EXT.

I would like to see all events where there are 0 results for source_zone="EXT". This is not the same as source_zone!="EXT" because that is filtering out the results.

Kindly advise and thanks.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-30-2019 05:06 PM 
your_search
| eventstats count(eval(source_zone="EXT")) as check
| where check < 1

Hi, @yepyepyayyooo
how about this?

0 Karma
Reply

mydog8it
Builder
‎12-30-2019 06:58 AM

The way I read your question, you want events that have no value in the source_zone field. If that's the case, try something like this:

your_search | where isnull(source_zone)

If you want to get all results that do not equal "EXT", try this:

your_index your_sourcetype source_zone!=EXT
0 Karma
Reply

oscar84x
Contributor
‎12-30-2019 06:47 AM

Hi. You can try:

index=your_index sourcetype=your_sourcetype NOT source_zone=EXT

As per Splunk best practices, however, inclusion is better than exclusion. So if you have a small number of possible values it might be better to search for all the values you want rather than the one you don't.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Search/NOTexpressions

Reply

yepyepyayyooo
New Member
‎12-30-2019 07:22 AM

Doesn't this filter out results? I need to see if condition true show me everything else. I need something like

where source_zone value EXT is nonexistent, show me those results
0 Karma
Reply

oscar84x
Contributor
‎12-30-2019 07:30 AM

From the link I posted above: Searching with NOT - If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.

So unlike !=, it will return events that don't have that value. Not just exclude the ones that have it.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2019 06:45 AM

Finding something that is not there can be challenging.

Perhaps https://www.duanewaddle.com/proving-a-negative/ will help.

There also NOT source_zone="EXT" which is not the same as source_zone!="EXT".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...