Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why am I getting null values when applying multivalue commands on a transaction field?

alcchang
Engager
‎07-18-2018 01:43 PM

I am trying to run a transaction search off a data model as seen below:

| datamodel WebLogs_Session_Test Checkout_Hits search
| transaction Web_Page_Hits.user mvlist=t maxpause=30m maxspan=4h maxevents=100000 keepevicted=true
| eval ckty=mvsort(Web_Page_Hits.Checkout_Hits.ckty)
| chart list(ckty) by Web_Page_Hits.user

list(ckty) doesn't return any values, however:

| datamodel WebLogs_Session_Test2 Checkout_Hits search
| transaction Web_Page_Hits.user mvlist=t maxpause=30m maxspan=4h maxevents=100000 keepevicted=true
| chart list(Web_Page_Hits.Checkout_Hits.ckty) by Web_Page_Hits.user

This returns a proper chart with a list of values next to each user, which looks something like this:

USER1                                    1
                                         0
                                         0
                                         1
                                         0

USER2                                    0
                                         0
                                         0
                                         0
                                         0
                                         1

What I would like to accomplish is to return whether or not the value "1" exists within the field for each user.

Thanks.

Tags (1)
0 Karma
Reply

auraria1
Path Finder
‎07-19-2018 11:05 AM

If I'm understanding the question right, you're trying to have the field that contains the value of either 0 or 1 return like a true/false statement?

If so I do an eval statement:

| eval value1 = case(value==1,"true","false")

Then chart based on value1.

If you're trying to only show events if a user has a 1 associated to it, I'd honestly just add:

NOT 0

Or,

value!="0" OR value="1"

Is that what you're looking for?

0 Karma
Reply

alcchang
Engager
‎07-18-2018 02:31 PM

What I'm capable of doing is eventstating with a sum(Web_Page_Hits.Checkout_Hits.ckty) and then eval a "TRUE" if the sum is greater than 0. My only problem with this that it's slow, and I plan on searching throw a bulky amount of data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...