I am trying to return change data for our servers. basically I import the list of open changes from the change control system, I then run a search (it will be a macro once it works) that checks if the specified server is currently in a change window,if it is it returns the change number if not it returns "operational"
sourcetype=RFClist Change_Status!=Draft OR Change_Status!=Closed Details="*serverA*" earliest=0 latest=now
| where time() > strptime(Change_Start_Date, "%F %T") AND time() < strptime(Change_End_Date, "%F %T")
| stats count as window
| eval window=if(window==0,"Operational",Change_Number)
when I use a server that is not in a change window I get the "Operational" output, but when I use a server that is in a change window I get nothing. If I just use strings in the eval/if statement I get valid output.
anyone got any ideas?
... View more