index=mysearch
| eval watchdog_time=_time
| stats count by watchdog_time,date_hour
| convert timeformat="%Y-%m-%d %H:%M" ctime(watchdog_time)
| eval watchdog_value*=(count=1 AND date_hour<"8","OK","NOK"*
| eval watchdog=if(isnull(watchdog_value),"NOK","OK")
| convert timeformat="%Y-%m-%d %H:%M" ctime(Date) | table Date, watchdog, watchdog_time
| outputlookup slaamlt.csv append=true
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I am trying to reach an Output like this:
Date watchdog watchdog_time
2017-12-06 12:32 OK 2017-12-06 05:41
2017-12-06 12:32 NOK 2017-12-06 08:23
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
but I allways get this Output:
Date watchdog watchdog_time
2017-12-06 12:32 OK 2017-12-06 05:41
*2017-12-06 12:32 OK 2017-12-06 08:23 *
It just Counts if there is an entry or not, but I Need to know how i can get the function to proof if the file is coming before 8am then is OK, but when the file comes after 8am then is NOK.
Thank you for helping me!
... View more