The search below looks for an event for a specific client during a specific time. If the event is not there, I would want to be notified, thus a "1" should be returned.
There is no event, so noNull is 0. The case statement "end" should be "1-0" (1-noNull), so 1 should be returned. However, I get "No results found." FYI: the search does work is noNull is 1.
source=*D:\\FHSO\\imports* source=*daily\\imports* End earliest=-30h@h
| eval time=strftime(round(strptime(file_Time, "%I:%M:%S %P")), "%H:%M:%S")
| where ClientID="WHI"
| where ((like(source,"%"."WHI"."%")) AND time>"02:00:00" AND time<"02:25:00")
| stats count as lateEnds
| eval noNull = if(ISNULL(lateEnds),0,lateEnds)
| eval end = case(ClientID="WHI", 1-noNull ) | table end
↧
