Hi

I would like to improve this complex request :

(sourcetype=powershell:rebootPending) |stats latest(Reboot_Pending) as Reboot_Pending by host | eval Reboot_Pending=if(like("True", "False"), "Yes", "No")

|append [ search (index=windows sourcetype=tools:flags filename=*TOUPDATE*) |eval flagExists="Yes" ]

|append [

search source="Autologon_install.log"  sourcetype="autologon:install" 

| rex "(?m)(?(.*))[\r\n]*\z" 

| search NOT last_line="*Autologon*"

| stats latest(last_line) as last_line by host

| eval Autologon_Error=if(like(last_line,"%Installation complete.%"), "No", "Yes")

]

|append [

search index=_internal host=TOL*|stats latest(_time) as _time by host|eval Ping_Status=if(_time>now()-60,"OK","KO") ]

|stats values(flagExists) as flagExists, values(Reboot_Pending) as Reboot_Pending, values(Autologon_Error) as Autologon_Error, values(Ping_Status) as Ping_Status by host | fillnull value="No" flagExists

1) I would like to use a loop because tools:flags filename=TOUPDATE exists only sometimes
So i would like to have something like this :
" if flagExists="No" then do nothing, if flagExists="Yes" then..... (equest launching)
2) The second thing i would like to do is for this piece of code:
search index=_internal host=TOL*|
In fact, host correspond to the hostname of a computer
But this hostname can begin with many different ways : BLL, HAL....
So want can i do for taking into account all these case?
3) The last thing is for this code : Ping_Status=if(_time>now()-60,"OK","KO") ]
Here, i monitore the SPLUNK service for knowing if the computer ping on network
But i would prefer to monitore the network directy
How to proceed please?
Thanks a lot