Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return value based on missing field

ialahdal
Path Finder
‎01-13-2020 01:50 AM

I want to make a search that will return a count of session_id based on the following fields
logged_out, logged_in
I want a count of how many sessions have an event with the logged_in field existing & the logged_out field not existing, this way I can tell exactly how many sessions are currently online.

How would I compare based on a field not existing, I tried isnull() and it didn't work as needed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎01-13-2020 09:32 AM

@ialahdal You can do something like below. 

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎01-13-2020 09:32 AM

@ialahdal You can do something like below. 

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count
0 Karma
Reply
Solved! Jump to solution

ialahdal
Path Finder
‎01-14-2020 02:39 AM

Thanks to you and @kamlesh_vaghela, I think isnull is making values null, using isnotnull like you mentioned did get me to the results I needed eventually.
Thanks.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-13-2020 03:39 AM

@ialahdal

Try:

YOUR_SEARCH | eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)

Sample:

| makeresults 
| eval logged_in="Yes",logged_out="Yes" 
| append 
    [| makeresults 
    | eval logged_in="Yes"] 
| eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)
0 Karma
Reply
Solved! Jump to solution

ialahdal
Path Finder
‎01-13-2020 01:53 AM

Something like if logged_in="yes" & nonexist(logged_out) return true
count true by session_id

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...