Splunk Search

Show me all events where field value not present?

yepyepyayyooo
New Member

Greetings good people,

i may be over thinking things or didn't get enough sleep. I need to return results where a field value is not present at all (0%) i.e. no event coverage for the given value. Not field but field value. For example.

Let's say we have a field called source_zone and possible values of INT, DMZ, or EXT.

I would like to see all events where there are 0 results for source_zone="EXT". This is not the same as source_zone!="EXT" because that is filtering out the results.

Kindly advise and thanks.

0 Karma

to4kawa
Ultra Champion
your_search
| eventstats count(eval(source_zone="EXT")) as check
| where check < 1

Hi, @yepyepyayyooo
how about this?

0 Karma

mydog8it
Builder

The way I read your question, you want events that have no value in the source_zone field. If that's the case, try something like this:

your_search | where isnull(source_zone)

If you want to get all results that do not equal "EXT", try this:

your_index your_sourcetype source_zone!=EXT
0 Karma

oscar84x
Contributor

Hi. You can try:

index=your_index sourcetype=your_sourcetype NOT source_zone=EXT

As per Splunk best practices, however, inclusion is better than exclusion. So if you have a small number of possible values it might be better to search for all the values you want rather than the one you don't.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Search/NOTexpressions

yepyepyayyooo
New Member

Doesn't this filter out results? I need to see if condition true show me everything else. I need something like

where source_zone value EXT is nonexistent, show me those results
0 Karma

oscar84x
Contributor

From the link I posted above: Searching with NOT - If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.

So unlike !=, it will return events that don't have that value. Not just exclude the ones that have it.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there can be challenging.

Perhaps https://www.duanewaddle.com/proving-a-negative/ will help.

There also NOT source_zone="EXT" which is not the same as source_zone!="EXT".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...