Splunk Search

Why am I getting null values when applying multivalue commands on a transaction field?

alcchang
Engager

I am trying to run a transaction search off a data model as seen below:

| datamodel WebLogs_Session_Test Checkout_Hits search
| transaction Web_Page_Hits.user mvlist=t maxpause=30m maxspan=4h maxevents=100000 keepevicted=true
| eval ckty=mvsort(Web_Page_Hits.Checkout_Hits.ckty)
| chart list(ckty) by Web_Page_Hits.user

list(ckty) doesn't return any values, however:

| datamodel WebLogs_Session_Test2 Checkout_Hits search
| transaction Web_Page_Hits.user mvlist=t maxpause=30m maxspan=4h maxevents=100000 keepevicted=true
| chart list(Web_Page_Hits.Checkout_Hits.ckty) by Web_Page_Hits.user

This returns a proper chart with a list of values next to each user, which looks something like this:

USER1                                    1
                                         0
                                         0
                                         1
                                         0

USER2                                    0
                                         0
                                         0
                                         0
                                         0
                                         1

What I would like to accomplish is to return whether or not the value "1" exists within the field for each user.

Thanks.

Tags (1)
0 Karma

auraria1
Path Finder

If I'm understanding the question right, you're trying to have the field that contains the value of either 0 or 1 return like a true/false statement?

If so I do an eval statement:

| eval value1 = case(value==1,"true","false")

Then chart based on value1.

If you're trying to only show events if a user has a 1 associated to it, I'd honestly just add:

NOT 0

Or,

value!="0" OR value="1"

Is that what you're looking for?

0 Karma

alcchang
Engager

What I'm capable of doing is eventstating with a sum(Web_Page_Hits.Checkout_Hits.ckty) and then eval a "TRUE" if the sum is greater than 0. My only problem with this that it's slow, and I plan on searching throw a bulky amount of data.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...