Solved: Return value based on missing field

ialahdal · ‎01-13-2020

I want to make a search that will return a count of session_id based on the following fields
logged_out, logged_in
I want a count of how many sessions have an event with the logged_in field existing & the logged_out field not existing, this way I can tell exactly how many sessions are currently online.

How would I compare based on a field not existing, I tried isnull() and it didn't work as needed.

Vijeta · ‎01-13-2020

@ialahdal You can do something like below.

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count

View solution in original post

Vijeta · ‎01-13-2020

@ialahdal You can do something like below.

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count

ialahdal · ‎01-14-2020

Thanks to you and @kamlesh_vaghela, I think isnull is making values null, using isnotnull like you mentioned did get me to the results I needed eventually.
Thanks.

kamlesh_vaghela · ‎01-13-2020

@ialahdal

Try:

YOUR_SEARCH | eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)

Sample:

| makeresults 
| eval logged_in="Yes",logged_out="Yes" 
| append 
    [| makeresults 
    | eval logged_in="Yes"] 
| eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)

ialahdal · ‎01-13-2020

Something like if logged_in="yes" & nonexist(logged_out) return true
count true by session_id

Return value based on missing field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!