PFB the query i was working on:
I started with a join query so that i could search for Jobs only present in my lookup file, but was having problems with it so dropped it:
index="test"
| lookup sla_jobs.csv BatchEndJob as JobName OUTPUTNEW Business as EndBusiness,
AppName as EndAppName,
RunDays as EndRunDays,
AvgBatchStartTime as EndAvgBatchStartTime,
BatchEndJob as EndBatchEndJob,
SLA_time as EndSLA_time,
SameDayFlag as EndSameDayFlag
| eval JobEndTime_HH=tonumber(strftime(strptime(JobEndTime,"Y%m%d %H%M"),"%H"))*60,
JobEndTime_MM=tonumber(strftime(strptime(JobEndTime,"Y%m%d %H%M"),"%M"))
JobEndTime_Total = JobEndTime_HH + JobEndTime_MM
|eval SLA_HH=tonumber(strftime(strptime(SLA,"%H:%M"),"%H"))*60,
SLA_MM=tonumber(strftime(strptime(SLA,"%H:%M"),"%M")),
SLA_Total=SLA_HH+SLA_MM
| eval SLA_Status = if(EndSameDayFlag==0 AND JobStatus=="COMPLETE" AND JobEndTime_Total < SLA_Total,"Met","Missed")
... View more