Splunk Search

Show me all events where field value not present?

yepyepyayyooo
New Member

Greetings good people,

i may be over thinking things or didn't get enough sleep. I need to return results where a field value is not present at all (0%) i.e. no event coverage for the given value. Not field but field value. For example.

Let's say we have a field called source_zone and possible values of INT, DMZ, or EXT.

I would like to see all events where there are 0 results for source_zone="EXT". This is not the same as source_zone!="EXT" because that is filtering out the results.

Kindly advise and thanks.

0 Karma

to4kawa
Ultra Champion
your_search
| eventstats count(eval(source_zone="EXT")) as check
| where check < 1

Hi, @yepyepyayyooo
how about this?

0 Karma

mydog8it
Builder

The way I read your question, you want events that have no value in the source_zone field. If that's the case, try something like this:

your_search | where isnull(source_zone)

If you want to get all results that do not equal "EXT", try this:

your_index your_sourcetype source_zone!=EXT
0 Karma

oscar84x
Contributor

Hi. You can try:

index=your_index sourcetype=your_sourcetype NOT source_zone=EXT

As per Splunk best practices, however, inclusion is better than exclusion. So if you have a small number of possible values it might be better to search for all the values you want rather than the one you don't.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Search/NOTexpressions

yepyepyayyooo
New Member

Doesn't this filter out results? I need to see if condition true show me everything else. I need something like

where source_zone value EXT is nonexistent, show me those results
0 Karma

oscar84x
Contributor

From the link I posted above: Searching with NOT - If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.

So unlike !=, it will return events that don't have that value. Not just exclude the ones that have it.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there can be challenging.

Perhaps https://www.duanewaddle.com/proving-a-negative/ will help.

There also NOT source_zone="EXT" which is not the same as source_zone!="EXT".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...