index="Index1" sourcetype="response" | eval running_ok = if(response_status="Running","0","1") |head 1
|join running_ok
[search index="Index1" sourcetype="monitor" | eval running_ok = if(monitor_status="Running","0","1")|head 1]
|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok==" " OR running_ok==1,1,0) |table final | outputlookup output.csv
I am using join on two sourcetypes for the field "running_ok".
The following table is derived based on how the inner join functions.
Main search "running_ok" result), (Sub search "running_ok" result)= 0 or 1 or Blank (Join Search returned no values.)
0,0=0 (Running)
1,0= blank (Not Running)
0,1= blank (Not Running)
1,1=1 (Not Running)
From these below, I am able to assign required value for "final" when running_ok=0 or 1, but I could not assign value for "final" when "Join search returns no values."
Please let me know the way when join search returns no rows.
|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok=="Join search returns no values." OR running_ok==1,1,0)
The following two did not help either.
| eval final=if(match(running_ok, "No results") OR running_ok=1, 1, 0) |
| eval final = if(isnull(running_ok) OR running_ok==1,1,0)
try this:
index="Index1" sourcetype="response" OR sourcetype="monitor"| eval running_ok = if(response_status="Running" OR monitor_status="Running","0","1") |head 1
|fillnull running_ok value=1
|eval final = if(running_ok==1,1,0) |table final | outputlookup output.csv
Thank you. I am going to try it and update.
What does the following mean?
|fillnull running_ok value=1
you had two final eval statements, which I didn't understand the need for, and in one eval statement, you had running_ok=" "
and the fillnull statement would just fill all null values with the value 1, so you wouldn't need that in the eval.
In the eval statement running_ok=" "
i am looking for query which did not return any rows(No results found. ).
I am sure it is not the right way to check it. I am looking for the right way to check "No results found. "
Because the join does not return any rows when no match happens. I am trying to catch those kind of entries,which will have "No results found".