Archive

Can you help me with an eval that has conditions?

Contributor

hello,

I use the code below in order to test if a filename exists.

It works, but only when I put the token time on "all time".

When I put a short token time like "last hour", there is no "Yes" or "No" but "Any results" message

When there is "Any results", I want to display "No".

Could you help me please??

index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*" 
| dedup host 
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO") 
| table filename
Tags (1)
0 Karma
1 Solution

Contributor

Hi,

Can you try the below search.

 index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*" 
 | dedup host 
 | append [|makeresults | eval filename = "Not Defined" | table filename]
 | eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO") 
| head 1
 | table filename

View solution in original post

0 Karma

Contributor

Hi,

Can you try the below search.

 index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*" 
 | dedup host 
 | append [|makeresults | eval filename = "Not Defined" | table filename]
 | eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO") 
| head 1
 | table filename

View solution in original post

0 Karma

Contributor

hi
with your code when In change the token time i have two lines with Yes and No.....

0 Karma

Contributor

Sorry missed one code, please try the below one,
index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*"
| dedup host
| append [|makeresults | eval filename = "Not Defined" | table filename]
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO")
| head 1
| table filename

0 Karma

Contributor

Perfect thanks

0 Karma

Contributor

Cool....I edited my main answer as well

0 Karma

hi @jip31

can u try like this

   index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="ACV-TOUPDATE.$w$*" 
     | dedup host 
    |eval token="ACV-TOUPDATE.$w$"
     | eval filename=if(filename==token, "YES", "NO") 
     | table filename
0 Karma

Communicator

what is "any results", do you mean "no results found try expanding time range"

Try this

index="ai-wkst-windows-fr" sourcetype="tools:flags" filename=*
| dedup host
| eval filename=if(filename=="ACV-TOUPDATE.$w$", "YES", "NO")
| table filename

0 Karma

Contributor

Yes i mean "no results found try expanding time range"
you code dont works because with it I have always "No"

0 Karma