I have a subsearch returning all files imported per client as the value "Client_File". It's value will look like ABC_File1. Based on what is returned in this first search, I have second part of the search to look if files were missed, and if that value is not returned I want it to write a message to the table being returned. Below is the search I have so far but it is not returning the missed files correctly.


| append [ search source=importhelpers Moved earliest=-25h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| eval Client_File = ClientID + "_" + FileImported ] | eval time=strftime(now(), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A")

| eval MissedFiles = case(Client_File!="ABC_File1" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File1 File. It was expected by 12:25:00",
Client_File!="ABC_File2" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File2 File. It was expected by 12:25:00",
Client_File!="ABC_File3" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File3 File. It was expected by 12:25:00")
| where isnotnull(MissedFiles)
| rename MissedFiles as "Missed Files Message Alert" | table "Missed Files Message Alert"