Return message based on what is NOT showing in Sub...

griffinpair · ‎11-20-2018

I have a subsearch returning all files imported per client as the value "Client_File". It's value will look like ABC_File1. Based on what is returned in this first search, I have second part of the search to look if files were missed, and if that value is not returned I want it to write a message to the table being returned. Below is the search I have so far but it is not returning the missed files correctly.

| append [ search source=importhelpers Moved earliest=-25h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval Client_File = ClientID + "_" + FileImported ] | eval time=strftime(now(), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A")

| eval MissedFiles = case(Client_File!="ABC_File1" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File1 File. It was expected by 12:25:00",
Client_File!="ABC_File2" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File2 File. It was expected by 12:25:00",
Client_File!="ABC_File3" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File3 File. It was expected by 12:25:00")
| where isnotnull(MissedFiles)
| rename MissedFiles as "Missed Files Message Alert" | table "Missed Files Message Alert"

Return message based on what is NOT showing in Subsearch

Happy CX Day, Splunk Community!

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas