Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EASY QUESTION: How to search for events that produce a field value of zero

cosullivan66
Explorer
‎04-09-2013 12:44 PM

Hi all, wish I could figure this one out myself but I'm stumped. I'm interested in producing a list of all the account IDs that have count(ns2:sessionType=SCHEDULED) = 0. I can produce the following list with this search:

sourcetype="ScreenSharingEvent" | xmlkv | chart count by ns2:accountId ns2:sessionType

ns2:accountId        IMPROMPTU     RECURRING    SCHEDULED

1 545538432972491782 0 0 2

2 1937523452352853511 2 0 5

3 2633426351742639109 7 0 0

I simply want a chart that would list the account with SCHEDULED=0

ns2:accountId

1 2633426351742639109

Thanks for the help!!

Tags (1)
0 Karma
Reply

jdunlea_splunk
Splunk Employee
Splunk Employee
‎04-09-2013 01:02 PM

Assuming that in this case, the xmlkv command is splitting the KVs correctly, you could do this:

sourcetype="ScreenSharingEvent" | xmlkv | search SCHEDULED=0 | chart count by ns2:accountId ns2:sessionType

Reply

cosullivan66
Explorer
‎04-09-2013 01:16 PM

Thanks for the reply, but SCHEDULED is a field value corresponding to the field ns2:sessionType, so I want something like count(ns2:sessionType=Scheduled)=0. However this command doesn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...