This search checks to make sure a certain process ended on time. I expect to have results for the 6 cases in the where clause below. In the case that a Client's process did not end on time, it would not be returned in this search.
I would like to reverse the logic to return information for when a Client misses an expected end time.
For Example: if client6's process ends after 01:15:00, I would want to see the ClientID and expected time range.
source=*D:\\THY\\helper* source=*IH_Daily\\Debug* End earliest=-30h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| rex field=source "importhelpers\\\+(?[^\\\]+)"
| where ((like(source,"%"."client1"."%")) AND time>"05:00:00" AND time<"05:15:00")
OR ((like(source,"%"."client2"."%")) AND time>"09:30:00" AND time<"09:45:00")
OR ((like(source,"%"."client3"."%")) AND time>"07:30:00" AND time<"07:42:00")
OR ((like(source,"%"."client4"."%")) AND time>"07:00:00" AND time<"07:25:00")
OR ((like(source,"%"."client5"."%")) AND time>"05:00:00" AND time<"05:30:00")
OR ((like(source,"%"."client6"."%")) AND time>"00:30:00" AND time<"01:15:00")
| table ClientID, timerange, source
↧