index=mysearch
| eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog_value*=(count=1 AND date_hour<"8","OK","NOK"*
| eval watchdog=if(isnull(watchdog_value),"NOK","OK")
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time
| outputlookup slaamlt.csv append=true
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I am trying to reach an Output like this:
Date watchdog watchdog_time
2017-12-06 12:32 OK 2017-12-06 05:41
2017-12-06 12:32 NOK 2017-12-06 08:23
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
but I allways get this Output:
Date watchdog watchdog_time
2017-12-06 12:32 OK 2017-12-06 05:41
*2017-12-06 12:32 OK 2017-12-06 08:23 *
It just Counts if there is an entry or not, but I Need to know how i can get the function to proof if the file is coming before 8am then is OK, but when the file comes after 8am then is NOK.
Thank you for helping me!
The watchdog_value field is never null because it is always set to either "OK" or "NOK". Therefore, the isnull
test always fails so the watchdog field will always be "OK". Skip the intermediate eval
and it should work. Try this
index=mysearch
| eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog=if(count=1 AND date_hour<"8","OK","NOK")
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time
| outputlookup slaamlt.csv append=true
Hi @krispost,
When you are using | eval watchdog_value=if(count=1 AND date_hour<"8","OK","NOK")
in your query it is always assigning values(OK or NOK) to watchdog_value
fields but after that | eval watchdog=if(isnull(watchdog_value),"NOK","OK")
is matching that whether watchdog_value
is null or not but watchdog_value
will be never NULL so it condition always will be false which gives OK in watchdog
everytime.
Just remove this line | eval watchdog=if(isnull(watchdog_value),"NOK","OK")
from your query and change table to | table Date, watchdog_value, watchdog_time
and you will get correct result.
copy that! thnx at all!!
Oops I didn't see that @richgalloway already answered. 🙂
The watchdog_value field is never null because it is always set to either "OK" or "NOK". Therefore, the isnull
test always fails so the watchdog field will always be "OK". Skip the intermediate eval
and it should work. Try this
index=mysearch
| eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog=if(count=1 AND date_hour<"8","OK","NOK")
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time
| outputlookup slaamlt.csv append=true
ooohh man! it was soooo easy!! but anyway, thank you so much..
best regards
If your problem is resolved, please accept the answer.
Hi richgalloway.. No, it's not fully done. I have the issue now, that when I didn't got an timestamp entry, then there are neither a NOK nor an OK... Can do you have a clue why?
hi richgalloway
thank you for your efforts. How I shall accept the answer?
for me it's done! i just have the issue, that the empty delivered tables are not put out a NOK, but this is another prob.
best regards