Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Return value based on missing field

ialahdal
Path Finder
‎01-13-2020 01:50 AM

I want to make a search that will return a count of session_id based on the following fields
logged_out, logged_in
I want a count of how many sessions have an event with the logged_in field existing & the logged_out field not existing, this way I can tell exactly how many sessions are currently online.

How would I compare based on a field not existing, I tried isnull() and it didn't work as needed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎01-13-2020 09:32 AM

@ialahdal You can do something like below. 

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎01-13-2020 09:32 AM

@ialahdal You can do something like below. 

<your search query> | stats count(eval(ISNOTNULL(logged_in))) as in_count , count(eval(ISNOTNULL(logged_out)) as out_count by SessionID| where in_count  > out_count
0 Karma
Reply
Solved! Jump to solution

ialahdal
Path Finder
‎01-14-2020 02:39 AM

Thanks to you and @kamlesh_vaghela, I think isnull is making values null, using isnotnull like you mentioned did get me to the results I needed eventually.
Thanks.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-13-2020 03:39 AM

@ialahdal

Try:

YOUR_SEARCH | eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)

Sample:

| makeresults 
| eval logged_in="Yes",logged_out="Yes" 
| append 
    [| makeresults 
    | eval logged_in="Yes"] 
| eval flag=if(logged_in=="Yes" AND isnull(logged_out),1,0)
| stats sum(flag)
0 Karma
Reply
Solved! Jump to solution

ialahdal
Path Finder
‎01-13-2020 01:53 AM

Something like if logged_in="yes" & nonexist(logged_out) return true
count true by session_id

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...