About robertoClaros

robertoClaros · ‎01-09-2026

Thank you so much for the help ! I used latest in order not to need to sort events but it works really well on my side.

robertoClaros · ‎01-09-2026

Thanks a lot ! I used it for the solution

robertoClaros · ‎01-07-2026

I tried the following example but it seems not really efficient and working : index=* Data IN ("testA", "test", "test2", "test3") | transaction Data | sort _time | eval testA_present=if(match(Data, "testA"), "true", "false") | eval test_present=if(match(Data, "(test|test2|test3)"), "true", "false") | eval testA_last=if(testA_present="true" AND test_present="true", mvindex(split(Data, "|"), -1) == "testA", "false") | where (testA_present="true" AND test_present="true" AND testA_last="false") OR (testA_present="false" AND test_present="true")

robertoClaros · ‎01-07-2026

Hello all, I am currently trying to do a search in which I verify if : => "testA" syslog has been received before any of "test", "test2" or "test3" syslog OR if "testA" syslog has not been received but we have one of the other syslogs "test", "test2" or "test3" The main goal is to verify if an event A happened before other ones making it a notable event. I tried things with transactions and eval commands in order to know which syslog was received and which was last but without big success. Thank you all.

Posts	4
Solutions	0
Karma Given	3
Karma Received	0
Member Since	‎01-07-2026

Online Status	Offline
Date Last Visited	‎01-09-2026 08:05 AM

Help building a search

Re: Help building a search

Re: Help building a search

Re: Help building a search

Help building a search

Join the Conversation

Help building a search

Re: Help building a search

Re: Help building a search

Re: Help building a search

Help building a search