05-06-2015 11:36:06,,uid2 -> TIMEOUT

SasiB137 · ‎06-08-2015

in,out,name
05-06-2015 11:37:04,05-06-2015 11:37:04 ,uid2
05-06-2015 11:36:06,,uid2

how do I do this,
If out time is not in the event and
OUT time > (current_time + 1hr) then mark status as TIMEOUT

lets say now is 05-06-2015 12:47:00 then expected output should be as

==================================
in,out,name
05-06-2015 11:37:04,05-06-2015 11:37:04 ,uid2 -> expected is -> LOGOUT

woodcock · ‎06-08-2015

Based on your comment:

OUT time > (current_time + 1hr) then mark status as TIMEOUT else 'ACTIVE'

This is the search (but it doesn't make any sense to me because now event should "happen after" now()):

... | eval outEpoch= strptime(out, "%m-%d-%Y %H:%M:%S") | eval status=if(outEpoch > (now() + 60*60), "TIMEOUT", "ACTIVE")

woodcock · ‎06-08-2015

Based on your comment:

OUT time > (current_time + 1hr) then mark status as TIMEOUT else 'ACTIVE'

This is the search (but it doesn't make any sense to me because now event should "happen after" now()):

... | eval outEpoch= strptime(out, "%m-%d-%Y %H:%M:%S") | eval status=if(outEpoch > (now() + 60*60), "TIMEOUT", "ACTIVE")

woodcock · ‎06-08-2015

Like this (probably not exactly what you need but I am having trouble comprehending your example; this should get you started anyway):

... | eval status=if(isnull(out), "TIMEOUT", "LOGOUT") | table in out name status

SasiB137 · ‎06-08-2015

OUT time > (current_time + 1hr) then mark status as TIMEOUT else 'ACTIVE'

how do I clac time out using eval