Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Return value based on missing field

ialahdal
Path Finder
‎01-13-2020 01:50 AM

I want to make a search that will return a count of session_id based on the following fields
logged_out, logged_in
I want a count of how many sessions have an event with the logged_in field existing & the logged_out field not existing, this way I can tell exactly how many sessions are currently online.

How would I compare based on a field not existing, I tried isnull() and it didn't work as needed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎01-13-2020 09:32 AM

@ialahdal You can do something like below. 

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎01-13-2020 09:32 AM

@ialahdal You can do something like below. 

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count
0 Karma
Reply
Solved! Jump to solution

ialahdal
Path Finder
‎01-14-2020 02:39 AM

Thanks to you and @kamlesh_vaghela, I think isnull is making values null, using isnotnull like you mentioned did get me to the results I needed eventually.
Thanks.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-13-2020 03:39 AM

@ialahdal

Try:

YOUR_SEARCH | eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)

Sample:

| makeresults 
| eval logged_in="Yes",logged_out="Yes" 
| append 
    [| makeresults 
    | eval logged_in="Yes"] 
| eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)
0 Karma
Reply
Solved! Jump to solution

ialahdal
Path Finder
‎01-13-2020 01:53 AM

Something like if logged_in="yes" & nonexist(logged_out) return true
count true by session_id

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...