Hello,
I would like to know if it's possible to do certain part of search with if statement on a field.
For example:
index="test" | head 1 | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = strptime( field ,"%Y.%m.%d %H:%M.%S")
The problem here is field is sometimes null, sometimes not, so strptime may not work correctly. So what I would like to do is:
index="test | head 1 | eval field = lastUpdate | if field ="2014.01.12" ----> parse it | else .....
Don't focus on my example, the thing that I don't understand is how to do the if else.
Thanks for help.
Try this
index="test" | head 1 | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = if(isnotnull(field),strptime( field ,"%Y.%m.%d %H:%M.%S"),now())
OR
index="test" lastUpdate=* | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = strptime( field ,"%Y.%m.%d %H:%M.%S")
Try this
index="test" | head 1 | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = if(isnotnull(field),strptime( field ,"%Y.%m.%d %H:%M.%S"),now())
OR
index="test" lastUpdate=* | eval field = lastUpdate ((lastUpdate is an extracted field)) | eval date = strptime( field ,"%Y.%m.%d %H:%M.%S")
Thanks 🙂 helped me.