Apologies if this answer exists somewhere. I am new to SPLUNK, I have been searching in user documents and How to FAQs but I am running out of time and have an urgent production problem to resolve.

I am using SPLUNK to search a log file for reasons why prod emails have gone astray.

In doing some basic searches I have determined a few fields we want to look at more closely. The search is greater than below but to simplify the question I will just refer to the one field.

"Document Converter returned" is one field I am searching on and I have noticed "Document Converter returned 0" is most common event. However when that field is not equal to 0 (eg "Document Converter returned 2043") the email is in error.

I want to only return the ones not equal to zero as the errors returned may be more than just "2043"

Example Search.

source="D:\Splunk\Logfile.trc" AND ("Document Converter returned") returns 47 events of which only 1 has Document Converter returned 2043.

source="D:\Splunk\Logfile.trc" AND ("Document Converter returned" !=0) doesn't work and I think it is because of the space before the 0 (???)

How can I search for "Document Converter returned" !=0 to only return events in error? Is there a way to search on "Document Converter returned" then extract the next "n" characters and compare the extracted characters only to 0? Or, something better?

As there are spaces I think SPLUNK is just seeing everything on this particular line as many fields and not linking the numbers post "Document Converter returned" to that field.

Thx in advance