index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false" | stats max(_time) as _time latest(threatRebootRequired) as status by host | eval now=now() | convert ctime(now) as day_of_week timeformat="%w" | eval day_of_week_variable=case(day_of_week=0 OR day_of_week=1, 2,day_of_week=6 or day_of_week=2,1,1=1,0) | eval day_age_of_last_message=((now()-_time)/60/60/24-day_of_week_variable) | eval reboot_required=if(day_age_of_last_message>2,"threatRebootRequired=true", "threatRebootRequired=false") | eval day_age_of_last_message=((now()-_time)/60/60/24-day_of_week_variable). //in this eval a open braces was missing, which I have added now. | eval reboot_required=if(day_age_of_last_message>2 AND status = true,"reboot required", "not required") //What I am supposed to give here, still I do not get the desired results of only showing results >2. I have also added status= true, to remove messages which are older than 2 days but do not require reboot. I would like to have the data compared with older logs to check, if the reboot required is still true since last two days.
... View more