Need help merging two relevance statements together

system · February 25, 2010, 9:47pm

(imported topic written by jnovak91)

Hi,

This works

Q: ((year of it as string & month of it as two digits & day_of_month of it as two digits) of date(local time zone) of it & " "& (two digit hour of it as string & “:” & two digit minute of it as string & “:” & two digit second of it as string) of time (local time zone) of it) of creation time of file whose (creation time of it = (maximum of creation times of files of folder “XXXXXXX” of folder “XXXXXXX” of parent folder of windows folder)) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

A: 20100222 16:09:09

and this works

Q: (names of files whose (name of it ends with “.html”)of folder “XXXXX” of folder “XXXXX” of parent folder of windows folder)

A: 11111111111111111.html

A: 22222222222222222.html

A: 33333333333333333.html

I want to add the second statement to the first one and get my results filtered on the newest log file with just the extension of .html. There are other log files in that folder that I don’t want to report on. I am having a hard time figuring out where to add it.

Thanks in advance,

Jason

system · February 25, 2010, 11:24pm

(imported comment written by jessewk)

You’re right. What you are trying to do is a little complicated. The strategy I use is to construct a tuple, where the first item in the tuple is the maximum value and the second item is the list of things you want to examine. I then compare the first item in the tuple to each of the second items in the tuple to find the one that matches the maximum. Once I’ve found the match I can then ask for properties of the matching item.

Here is an example that grabs the modification time of the most recent BigFix Client log:

modification time of item 1 of it whose (item 0 of it = preceding text of first “.log” of names of item 1 of it as integer) of (maximum of (it as integer) of preceding texts of firsts “.log” of names of files whose ((it ends with “.log” and exists match (regex “\d”) of it) of name of it) of it, files whose ((it ends with “.log” and exists match (regex “\d”) of it) of name of it) of it) of folder “c:\program files\bigfix enterprise\bes client__besdata__global\logs”

The above query includes an example of how to filter down to only certain logs based on name. You’ll need to modify it for your circumstances. For example, I’m getting the maximum of an integer while you will want to convert to use time.

Jesse

system · March 2, 2010, 11:15pm

(imported comment written by jnovak91)

Thanks Jesse.

I haven’t had a chance to play around with this in my environment yet; I am going to try and spend some time on it this week and will use your advice. It looks a little bit out of my league but I’ll try and work through it

Before I go further with this analysis I would like input on if my ultimate goal is even feasible. We have a home grown app that generates these log files each time the app is ran. In theory, I want to do the following:

• Search inside all of the log files for a specific string. An example would be “Chkdsk: Successful on C”.

• Filter my search results so that I am only searching through the log files that contain a .html file extension

• Return the file creation date of the most recent/current log file in the below format from my previous post that meets the above criteria. There may be multiple log files with the text string “Chkdsk: Successful on C” in the file in that directory but I just want the date stamp from the most recent/current file containingg that text string.

• I may be able to drop the filter on just .html file because the search string “Chkdsk: Successful on C” should not be in any other log file type. If I could do this, would I just take the same tuple approach mentioned before?

Some notes

• I have to use the creation date of the file because of the way the application was written to spit out log files. They are in d/m/yyyy format and it would be a tremendous undertaking to change the output and go back and rename all the log files in that directory to something usable. The format text string is the same within the log itself, so pulling the date from within the log file would not work either.

• I need to return the date in yyyymmdd format because they are planning to pull this data into our Business Intelligence application and it needs to be somewhat normalized.

• They didn’t intend to track the logging in any way let alone with BigFix when they wrote this app so the data I need to analyze is in a format that is user friendly and not data parsing friendly. This is really the only way that I can think of to try and meet my requirements for both the BigFix analysis and the Business Intelligence integration.

• I am open to suggestions so any help in which direction to go is appreciated.

Hope this all makes sense….

As always, thanks in advance.

Jason

Noah · March 3, 2010, 12:33am

(imported comment written by NoahSalzman)

Just addressing the date manipulation: this Relevance will work if there is a standard separator in the file name.

Q: (following text of last “-” of it & ((if (length of it < 2) then (“0” & it) else it) of following text of first “-” of preceding text of last “-” of it) & ((if (length of it < 2) then (“0” & it) else it) of preceding text of first “-” of it) ) of name of file “/tmp/05-06-2000”

A: 20000605

Q: (following text of last “-” of it & ((if (length of it < 2) then (“0” & it) else it) of following text of first “-” of preceding text of last “-” of it) & ((if (length of it < 2) then (“0” & it) else it) of preceding text of first “-” of it) ) of name of file “/tmp/5-6-2000”

A: 20000605

(Edit: make it yyyymmdd instead of yyyyddmm)

system · March 3, 2010, 1:47am

(imported comment written by jessewk)

Hi Jason,

You can definitely use relevance to accomplish all of your goals. Give it a try and feel free to post what you’ve got so far if you get stuck.

Jesse

system · March 5, 2010, 11:54pm

(imported comment written by jnovak91)

Help please! I am struggling with building this analysis. I have read through the Tuples section in the Relevance Language Guide as well as Jesse’s response but I am just not getting the concept of how to apply it to what I need. I am pretty sure I can get away with just searching through all of the files in that folder for my text string (which should simplify it) but if I could filter on just the html files, that would make it more efficient (I think). I have the following parts:

Return the date of the most recent log file in format I want (this gets the newest file regardless of the extension; I want just the date of the newest .html extension):

Q: ((year of it as string & month of it as two digits & day_of_month of it as two digits) of date(local time zone) of it & " "& (two digit hour of it as string & “:” & two digit minute of it as string & “:” & two digit second of it as string) of time (local time zone) of it) of creation time of file whose (creation time of it = (maximum of creation times of files of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

A: 20100304 12:54:59

I then tried filtering out just the .html file with this:

Q: ((year of it as string & month of it as two digits & day_of_month of it as two digits) of date(local time zone) of it & " "& (two digit hour of it as string & “:” & two digit minute of it as string & “:” & two digit second of it as string) of time (local time zone) of it) of creation time of it whose (creation time of it = (maximum of creation times of files of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)) of files whose (name of it ends with “.html”) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

A: 20100304 12:54:59

Which I thought worked until I created a file in that folder that was newer than the .html file with a different extension.

Q: ((year of it as string & month of it as two digits & day_of_month of it as two digits) of date(local time zone) of it & " "& (two digit hour of it as string & “:” & two digit minute of it as string & “:” & two digit second of it as string) of time (local time zone) of it) of creation time of it whose (creation time of it = (maximum of creation times of files of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)) of files whose (name of it ends with “.html”) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

E: Singular expression refers to nonexistent object.

After trying to get the above to work, I took a break from that stuff and started working on my search strings and seeing if I could find what I was looking for. I got this to work:

Q: exists lines whose (it contains “Chkdsk: Successful on C”) of files of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

A: True

And then I tried expanding on it with this to search just the .html files. Which I think works because it evaluates faster than the above:

Q: exists lines whose (it contains “Chkdsk: Successful on C”) of files whose (name of it ends with “.html”) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

A: True

Q: exists lines whose (it contains “ChkdskZZZZZZZ: Successful on C”) of files whose (name of it ends with “.html”) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

A: False

I then tried incorporating the pieces as “items” in a tuple based off of Jesse’s post and it just got ugly from there.

Am I overcomplicating it? All I am looking to get is the creation date of the most recent .html file in “yyyymmdd time” format that has the words “Chkdsk: Successful on C” in it. The search string will be in other .html files in that folder but I just want the date of the most recent on. Once I get it working I’ll need to expand it to about ten unique search strings.

Any direction/help is greatly appreciated.

Thank you,

Jason

Noah · March 6, 2010, 12:04am

(imported comment written by NoahSalzman)

Well, for this part:

Q: ((year of it as string & month of it as two digits & day_of_month of it as two digits) of date(local time zone) of it & " "& (two digit hour of it as string & “:” & two digit minute of it as string & “:” & two digit second of it as string) of time (local time zone) of it) of creation time of it whose (creation time of it = (maximum of creation times of files of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)) of files whose (name of it ends with “.html”) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

E: Singular expression refers to nonexistent object.

Do this instead:

(year of it as string & month of it as two digits & day_of_month of it as two digits) of date(local time zone) of it & " "& (two digit hour of it as string & “:” & two digit minute of it as string & “:” & two digit second of it as string) of time (local time zone) of it) of maximum of creation times of files whose (name of it ends with “.html”) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

system · March 6, 2010, 12:14am

(imported comment written by jnovak91)

That appears to be working, thank you noah for the quick response!!! Just need to figure out how to get my search string into it now.

Noah · March 6, 2010, 12:27am

(imported comment written by NoahSalzman)

How about:

() of maximum of creation times of (files whose ((name of it ends with “.html”) and (exists((lines of it) whose (it contains “Chkdsk: Successful on C”)))) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)

The tricky part was putting the parens around (lines of it) to make it a single object rather than a plural… or something like that, I could be saying that incorrectly.

system · March 8, 2010, 5:36am

(imported comment written by jnovak91)

Noah,

This is working really well! Thank you so much for your help. If I could trouble you one last time.

I am trying to get this to work based off of your logic but I am getting the following:

Q: (substrings before “.” of substrings after "Chkdsk: " of lines containing “Chkdsk” of it as trimmed string) of maximum of creation times of (files whose ((name of it ends with “.html”)) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)

E: The operator “lines containing” is not defined.

I played around with the placement of some “whose”, “its” and “perens” but couldn’t get anywhere.

Q: (substrings before “.” of substrings after "Chkdsk: " of lines containing “Chkdsk” of it as trimmed string) of files whose (maximum of creation times of (files whose ((name of it ends with “.html”)) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder))

E: The operator “files” is not defined.

I was using this, which did get the results I expected but I will run into that same file extension issue I mentioned earlier.

Q: (substrings before “.” of substrings after "Chkdsk: " of lines containing “Chkdsk” of it as trimmed string) of file whose (creation time of it = (maximum of creation times of files of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder

A: Successful on C:

A: Failed on Z: , unknown file system

Thoughts? What am I missing?

I think this is the final piece I need, thank you everyone. This forum is great.

Jason

Noah · March 8, 2010, 10:25pm

(imported comment written by NoahSalzman)

You were very close. Does this work for you:

(substrings before “.” of substrings after "Chkdsk: " of lines containing “Chkdsk” of it as trimmed string) of (file whose (creation time of it = (maximum of creation times of (files whose (name of it ends with “.html”) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder))) of folder “XXXXXX” of folder “XXXXXX” of parent folder of windows folder)

edit: fix “hmtl” typo

system · March 8, 2010, 10:10pm

(imported comment written by jnovak91)

That did it. Thanks again for all your help.