I have a subsearch returning all files imported per client as the value "Client_File". It's value will look like ABC_File1. Based on what is returned in this first search, I have second part of the search to look if files were missed, and if that value is not returned I want it to write a message to the table being returned. Below is the search I have so far but it is not returning the missed files correctly. | append [ search source=importhelpers Moved earliest=-25h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval Client_File = ClientID + "_" + FileImported ] | eval time=strftime(now(), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | eval MissedFiles = case(Client_File!="ABC_File1" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File1 File. It was expected by 12:25:00", Client_File!="ABC_File2" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File2 File. It was expected by 12:25:00", Client_File!="ABC_File3" AND time>"12:25:00" AND dow!="Sunday" AND dow!="Saturday", "ABC Missed File3 File. It was expected by 12:25:00") | where isnotnull(MissedFiles) | rename MissedFiles as "Missed Files Message Alert" | table "Missed Files Message Alert" ... View more

I need to run a search at 8 am, 3 pm, and 11:50 pm and the following cron is not working: 8,15,50 23 *** What does it need to be to run the search at those times every day? ... View more

I have an index that is populated by and extensive, long running query that creates a line like "Client1 Export1 Missed. Expected Time: 06:15:00". I have another index that is populated with fields to be over written and not appear in report. So if this above file needs to not show up I have the information of "Client1" and "Export1" I am looking for a way to search for all results in point 2 (the ones to not include) and exclude them in point 1. Something like this: | where "Missed Exports Message Alert" NOT in [ search sourcetype="si_Export_FileMissed" earliest=-24h@h | eval clearExport = ClientID + " " + ExportType | table clearExport ] How do you use NOT in as this is not working as I expect. Another way to ask this question, is how to exclude results from a subsearch from the overall search? ... View more

I have events that only time stamp is the Splunk generated _time and I only need to return events after a certain date, 3/22/2018. Simply adding "Where _time > 3/22/2018" does not work and I have attempted converting _time and comparing against that to no avail. Any suggestions? ... View more

I have the following Field named FileImported that is formatted the following way: text_text_NEEDED EXTRACTION_text An example of FileImported is: 22_ABC_FileID1564_Export And I want "FileID1564" as a field named "Export" from the existing Fileimported field. I have attempted Regex myself, but am not as experienced in it to get it working. What would be the regex needed to extract what I need based on the FileImported field format? ... View more

I have four searches that my end user wants all in one .CSV file, but each result set on a different sheet, not all together. Is there a way to accomplish this in Splunk without having to send each search in a different email/file? For reference: I have the Splunk Excel Export app installed, but do not see this functionality. ... View more

My goal for this search is to find if a file was not imported. If the file is imported "Could not find a file in the" text will be present. If the file is imported, "Moved" text will be present. Our system looks to import the file consistantly. So, at 07:30:00 the file may be imported so "Moved" will appear in the log file. But at 08:00:00 the system will look to import the file, but since there is nothing to import (because it was imported at 07:30:00) "Could not file the file in the" will be written to the log. I am trying to write a search that if "Moved" is present then I do not even want to know the count of "Could not find the file in the". However, if "Moved" is never found in the log file during the specified time frame, then I do want to run a search and find all instances of "Could not find the file in the". So in short, I am seeking help of writing a search that does not include false negatives. Below is the search I have put together. I attemped to search for the expected files and find a count. Then in the second query, if the count was less than expected (so I did not find the number of imported files as expected), then I would look for "Could not find the file in the", the files that were not found. This search is not working as I have found I can not pass a count's value into a sub-search/second query. So "FilesImported" from the first query does not have the value I expect in the second query's "WHERE" clause. I have shortened the query for just two instances of a customers (instead of all 20+) as each customer has different files that are to be imported at different times on different days. source=*D:\\redacted\\redacted* source=*IH_Daily\\redacted* Moved earliest=-48h@h | eval dayBuffer=strftime(now(), "%d") | eval day=ltrim(tostring(dayBuffer),"0") | eval todayBuffer=strftime(now(), "%m_"+day+"_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%10_19_2017%") | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "redacted\\\+(?<ClientID>[^\\\]+)" | where ClientID="$clientID$" | where (like(source,"%"."client1"."%") AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:27:00" AND time<"08:27:00") AND (FileImported="file1") OR (like(source,"%"."client2"."%")) AND (FilesImported!=2) AND (dow!="Sunday" AND dow!="Tuesday") AND (time>"09:00:00"AND time<"11:30:00") AND ((FileImported="file1") OR (FileImported="file2") OR (FileImported="file3")))) | stats count as FilesImported | append [ search source=*D:\\redacted\\redacted* source=*IH_Daily\\redacted* ("Could not find a file in the") earliest=-48h@h | eval dayBuffer=strftime(now(), "%d") | eval day=ltrim(tostring(dayBuffer),"0") | eval todayBuffer=strftime(now(), "%m_"+day+"_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%10_19_2017%") | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "redacted\\\+(?<ClientID>[^\\\]+)" | where ClientID="$clientID$" | where ((like(source,"%"."client1"."%")) AND (FilesImported<1) AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:27:00"AND time<"08:27:00") AND (file_Missing="file1") OR (like(source,"%"."client2"."%")) AND (FilesImported!<3) AND (dow!="Sunday" AND dow!="Tuesday") AND (time>"09:00:00"AND time<"11:30:00") AND ((file_Missing="file1") OR (file_Missing="file2") OR (file_Missing="file3"))) | stats count as "File Missed" ] |table "File Missed" ... View more

Each search below gathers data via SQL Queries from 3 different databases on 3 different servers. I have combined them into one with the hope to return the "totalerrors" and "ClientID" associated with those errors in one final table at the bottom. So it would look like: totalerrors | ClientID 0 | abc 3 | def 5 | ghi As of right now, the search below only returns the first searches data. So, I am only retrieving: totalerrors | ClientID 0 | abc Any suggestions on how to return the data from each sub-search query into one final table, all together? | dbxquery query="SELECT count(*) as totalerrors, 'abc' as ClientID FROM \"CM126abc\".\"dbo\".\"table1\" (NOLOCK) WHERE PROCESSEDFLAG = 'N' and ADDEDDT>DATEADD(hour, -24, GETDATE())" connection="126" | fields totalerrors, ClientID | appendcols [dbxquery query="SELECT count(*) as totalerrors, 'def' as ClientID FROM \"CM126def\".\"dbo\".\"table2\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE())" connection="126" | fields totalerrors, ClientID ] | appendcols [dbxquery query="SELECT count(*) as totalerrors, 'ghi' as ClientID FROM \"CM126ghi\".\"dbo\".\"table3\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE())" connection="126" | fields totalerrors, ClientID] | table UnprocessedVendorCAs, ClientID ... View more

I want to use the count from the first search "FilesImported" as criteria in the where clause of the subsearch. FilesImported is 0 and "File Missed" needs to be 1, but "File Missed" is currently returning 0 which shows me that the subsearch Where Clause is not working as I expected. So, how does one use the count of the first search as criteria in the Where Clause of the subsearch? source=*D:\\gfd\\import* source=*Daily\\Debug* Moved earliest=-36h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "importhelpers\\\+(?<ClientID>[^\\\]+)" | where ClientID="NAB" | where (like(source,"%"."NAB"."%") AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:57:00" AND time<"08:27:00") AND FileImported="Record") | stats count as FilesImported | appendcols [ search source=*D:\\gfd\\import* source=*Daily\\Debug* "Could not find a file in the" OR Moved earliest=-36h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | eval dow=strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | rex field=source "importhelpers\\\+(?<ClientID>[^\\\]+)" | where ClientID="NAB" | where ((like(source,"%"."NAB"."%") AND FilesImported!=1) AND (dow!="Sunday" AND dow!="Monday") AND (time>"07:27:00"AND time<"08:27:00") AND (file_Missing="Position")) | stats count as "File Missed" ] | table "File Missed" ... View more

The search below looks for an event for a specific client during a specific time. If the event is not there, I would want to be notified, thus a "1" should be returned. There is no event, so noNull is 0. The case statement "end" should be "1-0" (1-noNull), so 1 should be returned. However, I get "No results found." FYI: the search does work is noNull is 1. source=*D:\\FHSO\\imports* source=*daily\\imports* End earliest=-30h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | where ClientID="WHI" | where ((like(source,"%"."WHI"."%")) AND time>"02:00:00" AND time<"02:25:00") | stats count as lateEnds | eval noNull = if(ISNULL(lateEnds),0,lateEnds) | eval end = case(ClientID="WHI", 1-noNull ) | table end ... View more

The query below takes approximately 20 minutes to run and I need help optimizing it. The point of the query is to gather the number of problematic data conditions from each client. The conditions are: 1. Where PROCESSEDFLAG='N' (from the VA table) 2. Where WORKFLOWSTATUS is null (from the CA table) 3. Where PROCESSEDFLAG='N' (from the VS table). Our current setup has each client having their own database and clients split throughout servers. Given our setup, this is why I have formatted the search to have a different sub-search for each problematic condition for each client. What solutions are there to fix the current speed of the search or optimize the current query? |dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID1\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as ALPVCA | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID2\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as ARTVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID3\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as CEGVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID4\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as CFUSVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID5\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as IRMVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID6\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as MARVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID7\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as USBIVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID8\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as WHIVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID9\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-124" | stats count as WOSVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID10\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-124" | stats count as POWVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID11\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-124" | stats count as NABVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID12\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-125" | stats count as NDQVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID13\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-127" | stats count as WEDVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID14\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-127" | stats count as HLMVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID15\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-127" | stats count as ICBCVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID16\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-128" | stats count as CFUKVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID17\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-128" | stats count as MEDVCA] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID18\".\"dbo\".\"VA\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-128" | stats count as SPIVCA] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID1\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-126" | stats count as ALPWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID2\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-126" | stats count as ARTWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID3\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-126" | stats count as CEGWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID4\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-126" | stats count as CFUSWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID5\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-116" | stats count as IRMWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID6\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-116" | stats count as MARWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID7\".\"dbo\".\"CA\"WHERE WORKFLOWSTATUS = Null connection="connection-116" | stats count as USBIWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID8\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-116" | stats count as WHIWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID9\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-124" | stats count as WOSWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID10\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-124" | stats count as POWWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID11\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-124" | stats count as NABWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID12\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-125" | stats count as NDQWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID13\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-127" | stats count as WEDWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID14\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-127" | stats count as HLMWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID15\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-127" | stats count as ICBCWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID16\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-128" | stats count as CFUKWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID17\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-128" | stats count as MEDWS] | appendcols [dbxquery query="SELECT ClientID FROM \"clientID18\".\"dbo\".\"CA\" WHERE WORKFLOWSTATUS = Null connection="connection-128" | stats count as SPIWS] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID5\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as IRMVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID6\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as MARVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID7\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as USBIVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID8\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-116" | stats count as WHIVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID9\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-124" | stats count as WOSVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID10\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-124" | stats count as POWVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID11\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-124" | stats count as NABVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID12\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-125" | stats count as NDQVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID13\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-127" | stats count as WEDVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID14\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-127" | stats count as HLMVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID15\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-127" | stats count as ICBCVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID16\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-128" | stats count as CFUKVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID17\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-128" | stats count as MEDVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID18\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-128" | stats count as SPIVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID1\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as ALPVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID2\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as ARTVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID3\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as CEGVSEC] | appendcols [dbxquery query="SELECT PROCESSEDFLAG FROM \"clientID4\".\"dbo\".\"VS\" WHERE PROCESSEDFLAG = 'N' and ADDEDDT >DATEADD(hour, -24, GETDATE()) " connection="connection-126" | stats count as CFUSVSEC] | eval Totals= ARTVCA+CEGVCA+CFUSVCA+IRMVCA+MARVCA+USBIVCA+WHIVCA+WOSVCA+POWVCA+NDQVCA+WEDVCA+HLMVCA+ICBCVCA+CFUKVCA+MEDVCA+SPIVCA+ARTVSEC+CEGVSEC+CFUSVSEC+IRMVSEC+MARVSEC+USBIVSEC+WHIVSEC+WOSVSEC +POWVSEC+NDQVSEC+WEDVSEC+HLMVSEC+ICBCVSEC+CFUKVSEC+MEDVSEC+SPIVSEC+ARTWS+CEGWS+CFUSWS+IRMWS+MARWS+USBIWS+WHIWS+WOSWS+POWWS+NDQWS+WEDWS+HLMWS+ICBCWS+CFUKWS+MEDWS+SPIWS | table Totals ... View more

This search checks to make sure a certain process ended on time. I expect to have results for the 6 cases in the where clause below. In the case that a Client's process did not end on time, it would not be returned in this search. I would like to reverse the logic to return information for when a Client misses an expected end time. For Example: if client6's process ends after 01:15:00, I would want to see the ClientID and expected time range. source=*D:\\THY\\helper* source=*IH_Daily\\Debug* End earliest=-30h@h | eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S") | rex field=source "importhelpers\\\+(?[^\\\]+)" | where ((like(source,"%"."client1"."%")) AND time>"05:00:00" AND time<"05:15:00") OR ((like(source,"%"."client2"."%")) AND time>"09:30:00" AND time<"09:45:00") OR ((like(source,"%"."client3"."%")) AND time>"07:30:00" AND time<"07:42:00") OR ((like(source,"%"."client4"."%")) AND time>"07:00:00" AND time<"07:25:00") OR ((like(source,"%"."client5"."%")) AND time>"05:00:00" AND time<"05:30:00") OR ((like(source,"%"."client6"."%")) AND time>"00:30:00" AND time<"01:15:00") | table ClientID, timerange, source ... View more

Below is the current search I have put together to extract a couple fields. The extraction of the ClientID from the source works perfect. I now need to extract the filetype from the import_File field based on the previously extracted ClientID . Search: source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* Moved earliest=-36h@h | rex field=source "importhelpers\\\\+(?ClientID[^\\\\]+)" | rex field=import_File ""ClientID"\\\\\\\\\\+(?filetype[^\\]+)" import_File Examples: D:\XSP\Builds\IRM\InternalImports\IRM\Account\IRM_Accounts_20170810_csv.xml D:\XSP\Builds\USBI\InternalImports\IRM\Manager\IRM_Accounts_20170810_csv.xml In these examples I am trying to extract from the import_File where file_Type will be Account or Manager . It is important to note that IRM and USBI right before that is the ClientID that is extracted from the first rex field. This ClientID will be different for each client and I will need to extract the filetype based on this. ... View more