hello,
I use the code below in order to test if a filename exists.
It works, but only when I put the token time on "all time".
When I put a short token time like "last hour", there is no "Yes" or "No" but "Any results" message
When there is "Any results", I want to display "No".
Could you help me please??
index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*"
| dedup host
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO")
| table filename
Hi,
Can you try the below search.
index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*"
| dedup host
| append [|makeresults | eval filename = "Not Defined" | table filename]
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO")
| head 1
| table filename
Hi,
Can you try the below search.
index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*"
| dedup host
| append [|makeresults | eval filename = "Not Defined" | table filename]
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO")
| head 1
| table filename
hi
with your code when In change the token time i have two lines with Yes and No.....
Sorry missed one code, please try the below one,
index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*"
| dedup host
| append [|makeresults | eval filename = "Not Defined" | table filename]
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO")
| head 1
| table filename
Perfect thanks
Cool....I edited my main answer as well
hi @jip31
can u try like this
index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*"
| dedup host
|eval token="ACV-TOUPDATE.$w$"
| eval filename=if(filename==token, "YES", "NO")
| table filename
what is "any results", do you mean "no results found try expanding time range"
Try this
index="ai-wkst-windows-fr" sourcetype="tools:flags" filename=*
| dedup host
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO")
| table filename
Yes i mean "no results found try expanding time range"
you code dont works because with it I have always "No"