I'm trying to list the last logged event for each permutation of my two logged fields (columns). If the last event was too long ago, I want to output "dead" for that combination of the two columns.
My queries thus far are using eval with if. However I can't get the if statement to work with my column values.
If I make a dummy query,
hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(1>0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)
This will output "dead", because 1 > 0 evaluates to true. That seems right ! 🙂
However, this one doesn't work:
hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(max(timestamp)<0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)
What happens is, the value in the predicate of the "if" always evaluates to false.
max(timestamp) compared to anything is always false (or null?)
if I replace the tested value with "timestamp", it still doesn't work - "timestamp" compared to anything is always false (or null?)
This one doesn't work either:
hello_world_name=* host=* | stats max(timestamp) as bob by hello_world_name, host | eval awol=if(bob>now(),"dead","live") | fields hello_world_name, host, awol, bob
What happens is, even though "bob" is a real value, as evidenced by the column labeled "bob", no matter if the predicate is set "bob>now()" or "bob<now()", the answer is always as if it is false - the value of awol is "live".
What is the deal? Am I using eval incorrectly? How do I test fields from elsewhere in the query?
... View more