after succeed with
"Infected files:" | rex field=_raw "Infected files: (?<Infected>\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected, linecount | where date=strftime(now(), "%Y-%m-%d") | where Infected=0 | stats sum(linecount) as resultofscan | eval typeofresult="totalofnotinfected" | table typeofresult, resultofscan
to show a summary
then when deal with 0 case
"Infected files:" | rex field=_raw "Infected files: (?<Infected>\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected, linecount | where date=strftime(now(), "%Y-%m-%d") | where Infected>0 | stats sum(linecount) as resultofscan | eval totalofinfected=if(linecount=0,0,0) | eval scanresult="totalofinfected" | table typeofresult, resultofscan
when infected > 0 , no search result found, it has problem
final should be like
typeofresult resultofscan
totalofnotinfected 100
totalofinfected 0
total 100
"Infected files:" | rex field=_raw "Infected files: (?<Infected>\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected, linecount | where date=strftime(now(), "%Y-%m-%d") | where Infected=0 | stats sum(linecount) as resultofscan | eval typeofresult="totalofnotinfected" | table typeofresult, resultofscan
| append [ |"Infected files:" | rex field=_raw "Infected files: (?<Infected>\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected, linecount | where date=strftime(now(), "%Y-%m-%d") | where Infected>0 | stats sum(linecount) as resultofscan | eval totalofinfected=if(linecount=0,0,0) | eval scanresult="totalofinfected" | table typeofresult, resultofscan ]
2.. as do not know how to sum the total after append table
then i hard code a total, but it can not append this hardcoded total to table
| append [ | eval resultofscan=36 | eval typeofresult="total" | table typeofresult, resultofscan ]
... View more