Solved: Re: Return value based on missing field

ialahdal · ‎01-13-2020

I want to make a search that will return a count of session_id based on the following fields
logged_out, logged_in
I want a count of how many sessions have an event with the logged_in field existing & the logged_out field not existing, this way I can tell exactly how many sessions are currently online.

How would I compare based on a field not existing, I tried isnull() and it didn't work as needed.

Vijeta · ‎01-13-2020

@ialahdal You can do something like below.

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count

View solution in original post

Vijeta · ‎01-13-2020

@ialahdal You can do something like below.

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count

ialahdal · ‎01-14-2020

Thanks to you and @kamlesh_vaghela, I think isnull is making values null, using isnotnull like you mentioned did get me to the results I needed eventually.
Thanks.

kamlesh_vaghela · ‎01-13-2020

@ialahdal

Try:

YOUR_SEARCH | eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)

Sample:

| makeresults 
| eval logged_in="Yes",logged_out="Yes" 
| append 
    [| makeresults 
    | eval logged_in="Yes"] 
| eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)

ialahdal · ‎01-13-2020

Something like if logged_in="yes" & nonexist(logged_out) return true
count true by session_id

Return value based on missing field

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...