index=axway* sourcetype=":messages" SENDERROUTINGID="KNPROD" |stats count by PRODUCTIONFILENAME|fields - count |rename PRODUCTIONFILENAME as FileName |join type=left FileName [search index=axway APPLICATION="CRD_3PL_TO_S4_GOODSRCPT" STATE=* | eval temp=split(FILENAME,"/")| eval count=mvcount(temp)| eval FileName=mvindex(temp,-1) |eval status=if(STATE like "%COMPLETE%" ,"Success","Failure") |stats latest(status) as status by APPLICATION FileName |stats count(eval(status="Failure")) as FailureCount by FileName APPLICATION status |replace CRD_3PL_TO_S4_GOODSRCPT
WITH "IDD_CRD_SCS_022" IN APPLICATION |rename APPLICATION as InterfaceID ] |eval Applicationstatus_MFT=if(status="_", "Failure","Success") |table InterfaceID FileName Applicationstatus_MFT |stats count(FileName) as FileVolume count(eval(Applicationstatus_MFT!="Success")) as FailFileCount by InterfaceID Applicationstatus_MFT
You can just add | search ApplicationStatus_MFT!="Success"
after your eval that creates Applicationstatus_MFT.
Though if you area only showing failures you may be able to remove some of the other pieces from your query.
When I run with the above command :I got this message "no results found yet". Right now I dont have failed records so should I trust this query as correct?