My current search (below) returns 3 results that has a field called "import_File" that contains either the text "Account", "Owner", or "Member" in the file path. If there is an instance where the search does not contain a file path containing either the text "Account", "Owner", or "Member", I want to return the "source" so I can go in and check it out.
Search:
source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
| eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
| where ((like(source,"%"."ClientID"."%")))
| sort -_time
Results:
7/31/2017 5:09:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB
7/31/2017 5:08:18 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB
7/31/2017 5:03:15 AM -- Moved D:\filepath\filepath\ClientID\filepath\ClientID\Member\ClientID_Member_csv.xml Size:3.06 MB
For example (below), if tomorrow's search does not return an import_File with a file path containing "Member" I would want
to return the source.
Example Problem Search Results:
8/1/2017 5:09:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Position\ClientID_Owner_csv.xml Size:26.46 MB
8/1/2017 5:08:18 AM -- D:\filepath\filepath\ClientID\filepath\ClientID\Account\ClientID_Account_csv.xml Size:586.22 KB
Give this a try
source=*D:\\filePath\\filePath* source=*filePath\\filePath.log* Moved
| eval todayBuffer=strftime(now(), "%m_%d_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")
| where ((like(source,"%"."ClientID"."%"))) | rex field=source "ClientID_(?<type>[^_]+)" | eventstats values(type) as type
| sort -_time | where mvcount(type)<3 | table source ..other fields you want...
This will return either Owner, Account, Member, or the entire source.
| rex field=source "(?i)(<sourcefound>Owner|Account|Member)"
| eval source=coalesce(sourcefound,source)
What will be the expect output (for the sample data)?
This is a "Alert Dashboard" I am creating. So if all show up (Results) then nothing should show up. If what we expected to show up does not (Example Problem Search Results) then I would want the the "source" to be returned so I can know the log file that has the information on the issue.
@griffinpair - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in the asterisk symbol *
or _
, without wrapping it in a code sample
, it will italicize the word. If you wish to show the *
(i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar. That is how I was able to edit your post so that the *
will display.