hai all,

i am using below splunk search to know the status if not running 

but its not giving if process was not running.

sourcetype=ps host=test1 COMMAND=*event_demon*
| stats latest(cpu_load_percent) as "CPU %", latest(PercentMemory) as "MEM %", latest(RSZ_KB) as "Resident Memory (KB)", latest(VSZ_KB) as "Virtual Memory (KB)" by _time
| eval Process_Status = case(isnotnull('CPU %') AND isnotnull('MEM %'), "Running", isnull('CPU %') AND isnull('MEM %'), "Not Running", 1=1, "Unknown")
| table "CPU %", "MEM %", "Resident Memory (KB)", "Virtual Memory (KB)", Process_Status
| eval Process_Status = coalesce(Process_Status, "Unknown")
| rename "CPU %" as "CPU %", "MEM %" as "MEM %"
| fillnull value="N/A"