I am trying to run a transaction search off a data model as seen below:
| datamodel WebLogs_Session_Test Checkout_Hits search
| transaction Web_Page_Hits.user mvlist=t maxpause=30m maxspan=4h maxevents=100000 keepevicted=true
| eval ckty=mvsort(Web_Page_Hits.Checkout_Hits.ckty)
| chart list(ckty) by Web_Page_Hits.user
list(ckty) doesn't return any values, however:
| datamodel WebLogs_Session_Test2 Checkout_Hits search
| transaction Web_Page_Hits.user mvlist=t maxpause=30m maxspan=4h maxevents=100000 keepevicted=true
| chart list(Web_Page_Hits.Checkout_Hits.ckty) by Web_Page_Hits.user
This returns a proper chart with a list of values next to each user, which looks something like this:
USER1 1
0
0
1
0
USER2 0
0
0
0
0
1
What I would like to accomplish is to return whether or not the value "1" exists within the field for each user.
Thanks.
If I'm understanding the question right, you're trying to have the field that contains the value of either 0 or 1 return like a true/false statement?
If so I do an eval statement:
| eval value1 = case(value==1,"true","false")
Then chart based on value1.
If you're trying to only show events if a user has a 1 associated to it, I'd honestly just add:
NOT 0
Or,
value!="0" OR value="1"
Is that what you're looking for?
What I'm capable of doing is eventstating with a sum(Web_Page_Hits.Checkout_Hits.ckty) and then eval a "TRUE" if the sum is greater than 0. My only problem with this that it's slow, and I plan on searching throw a bulky amount of data.