https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476028#M133734 <P>Hi,</P> <P>I'm looking at logs on a Gateway to see if there is traffic or not for specific files at a specific time. <BR /> I want to show the status of the flow. </P> <P>The file has to be present only on Monday between 5:30PM and 7:30PM.<BR /> If it is then the state is "OK" and "KO" if not.<BR /> If we are another day and there that is no traffic, it's "Not expected"<BR /> Otherwise, it's a warn.</P> <P>Could you please help ?</P> <P>Here is my command line :</P> <PRE><CODE>eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME&gt;"17:30:00" ENDTIME&lt;"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE&gt;0 | stats count as Nb by IDF,date_wday | eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State </CODE></PRE> Thu, 12 Sep 2019 11:32:07 GMT pbd 2019-09-12T11:32:07Z https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476028#M133734 <P>Hi,</P> <P>I'm looking at logs on a Gateway to see if there is traffic or not for specific files at a specific time. <BR /> I want to show the status of the flow. </P> <P>The file has to be present only on Monday between 5:30PM and 7:30PM.<BR /> If it is then the state is "OK" and "KO" if not.<BR /> If we are another day and there that is no traffic, it's "Not expected"<BR /> Otherwise, it's a warn.</P> <P>Could you please help ?</P> <P>Here is my command line :</P> <PRE><CODE>eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME&gt;"17:30:00" ENDTIME&lt;"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE&gt;0 | stats count as Nb by IDF,date_wday | eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State </CODE></PRE> Thu, 12 Sep 2019 11:32:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476028#M133734 pbd 2019-09-12T11:32:07Z https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476029#M133735 <P>Give this a try</P> <PRE><CODE>eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME&gt;"17:30:00" ENDTIME&lt;"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE&gt;0 | stats count as Nb by IDF,date_wday | appendpipe [| stats count as Nb| where Nb=0 | eval date_wday=lower(strftime(now(),"%A"))] | eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State </CODE></PRE> Thu, 12 Sep 2019 13:42:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476029#M133735 somesoni2 2019-09-12T13:42:30Z https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476030#M133736 <P>Thank you for the fast reply !<BR /> This would be perfect if I can replace "now()" in the strftime function by the time i'm searching for ?<BR /> You put me on the right track I think. </P> Thu, 12 Sep 2019 14:42:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476030#M133736 pbd 2019-09-12T14:42:00Z https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476031#M133737 <P>I think I've finally found !!! \o/</P> <P>eventtype=echanges IDF="KB0N3A*" OR IDF="N70N3A*" ENDTIME&gt;"17:30:00" ENDTIME&lt;"19:30:00" RECEPTEUR="FGPXYG00" STATUS="COMPLETED" VOLUMETRIE&gt;0 | stats count as Nb by IDF,date_wday | appendpipe [| stats count as Nb| where Nb=0 | addinfo | eval date_wday=lower(strftime(info_min_time,"%A"))] | eval State = if(Nb == 1,if(match(date_wday, "monday"),"OK","Warning"),if(match(date_wday,"monday"),"Warning","Not Expected")) | table State date_wday Nb</P> Wed, 30 Sep 2020 02:07:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476031#M133737 pbd 2020-09-30T02:07:21Z https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476032#M133738 <P>Thank you very much!!!!</P> Thu, 12 Sep 2019 14:55:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-have-stats-with-no-result-found/m-p/476032#M133738 pbd 2019-09-12T14:55:50Z