Return message based on what is NOT showing in Sub...

griffinpair · ‎11-20-2018

I have a subsearch returning all files imported per client as the value "Client_File". It's value will look like ABC_File1. Based on what is returned in this first search, I have second part of the search to look if files were missed, and if that value is not returned I want it to write a message to the table being returned. Below is the search I have so far but it is not returning the missed files correctly.

| append [ search source=importhelpers Moved earliest=-25h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval Client_File = ClientID + "_" + FileImported ] | eval time=strftime(now(), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A")

| eval MissedFiles = case(Client_File!="ABC_File1" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File1 File. It was expected by 12:25:00",
Client_File!="ABC_File2" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File2 File. It was expected by 12:25:00",
Client_File!="ABC_File3" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File3 File. It was expected by 12:25:00")
| where isnotnull(MissedFiles)
| rename MissedFiles as "Missed Files Message Alert" | table "Missed Files Message Alert"

Return message based on what is NOT showing in Subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation