I have the following client relevance statement, but I am missing something in the formatting. The “it” at the end of the second string search in () is associated with the event filter, but the “it” in the first () string search is not. What am I missing?
( preceding texts of firsts "%0d%0a" of following texts of firsts "P1:" of it ) & " | " & ( preceding texts of firsts "%0d%0a" of following texts of firsts "P4:" of it ) of unique values of descriptions whose (it contains "APPCRASH") of records whose ( event id of it =1001 ) of event log "Application"
The second “it” is pointing to the object only because it immediately precedes the object. If you enclose the entire construct in a set of parentheses, the relevance engine will associate both of them with the proper object:
(( preceding texts of firsts "%0d%0a" of following texts of firsts "P1:" of it ) & " | " & ( preceding texts of firsts "%0d%0a" of following texts of firsts "P4:" of it )) of unique values of descriptions whose (it contains "APPCRASH") of records whose ( event id of it =1001 ) of event log "Application"
I tried that already built ran the code you provided to double-check; still no joy.
Q: (( preceding texts of firsts "%0d%0a" of following texts of firsts "P1:" of it ) & " | " & ( preceding texts of firsts "%0d%0a" of following texts of firsts "P4:" of it )) of unique values of descriptions whose (it contains "APPCRASH") of records whose ( event id of it =1001 ) of event log "Application"
E: A singular expression is required.
That’s a different issue. To use concatenation, you need to create a singular string from each pass through the appcrash event log entries.
(( preceding text of first "%0d%0a" of following text of first "P1:" of it ) & " | " & ( preceding text of first "%0d%0a" of following texts of first "P4:" of it )) of unique values of descriptions whose (it contains "APPCRASH") of records whose ( event id of it =1001 ) of event log "Application"
I have this code working a treat, but I would like to improve its aesthetics.
Q: If Windows of Operating System then ( multiplicity of it as string, it ) of ( unique values of ( ( preceding text of first "%0d%0a" of following text of first "P1: " of it ) & " | " & ( preceding text of first "%0d%0a" of following text of first "P4: " of it )) of ( description of it ) whose ( it contains "APPCRASH" ) of records whose ( time generated of it > now - 365 * day and event id of it = 1001 ) of event log "Application" ) as string Else "Not Windows"
A: 1, cmd.exe | StackHash_d6c2
A: 10, cscript.exe | StackHash_d6c2
A: 100, svchost.exe_wuauserv | combase.dll
I would like the output look as follows:
1x | cmd.exe | StackHash_d6c2
10x | cscript.exe | StackHash_d6c2
100x | svchost.exe_wuauserv | combase.dll
I tried adding
concatenation "x | " ( multiplicity of it as string, it ) of… with no luck
That works to get me the “x” after the multiplicity digits, but I also want to replace the default “,” delimiter the with “|” the the output looks as follows:
1x | cmd.exe | StackHash_d6c2
rather than the default, using your suggestion above: