Hi All,
I want to compare three fields value(may be) to arrive at new field. (mentioned 3 as it may require to compare the actual start time with expected start time and current time)
I am having some fields from my look up. Job_Name and expected_start_time. And I am calculating the actual_start_time from the search query result.
So I want to create a new field like Status which tells me whether the job started on time or it is delayed or Expected start time not yet arrived.
Below is the sample output i am looking for. Consider the current time is 13:10
Job_Name Expected_start_time Actual_Start_Time Status
1a 08.30 10.00 Late start
1b 10.00 09:00 Started Earlier
1c 13:00 -- Not yet started on the expected start time
1d 18:00 -- Waiting for the expected start time
Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this
your current search giving fields Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier",
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time",
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*
Assuming you've done the lookup to get fields Job_Name Expected_start_time and Actual_Start_Time in your search results, try something like this
your current search giving fields Job_Name Expected_start_time and Actual_Start_Time
| eval epochExpected=strptime(Expected_start_time,"%H:%M") | eval epochActual=strptime(Actual_Start_Time,"%H:%M")
| eval Status=case(isnotnull(epochActual) AND epochActual>epochExpected,"Late start",
isnotnull(epochActual) AND epochActual=epochExpected ,"On time start",
isnotnull(epochActual) AND epochActual<epochExpected, "Started earlier",
isnull(epochActual) AND epochExpected<now(), "Not yet started on the expected start time",
isnull(epochActual) AND epochExpected>now(), "Waiting for the expected start time", true(),"Undefined")
| fields - epoch*
Wonderful @somesoni2. Thank you very much!