I am importing a XML file. There is a few values in the XML that I would like to be alerted on. Well, I would like to be alerted when something isn't present. I want to be alerted when a field does not have another field with a value of 1.
Search:
sourcetype="report_xml" | dedup data.administration.provider-id data.administration.survey-status | chart count by data.administration.provider-id,data.administration.survey-status
Shows:
data.administration.provider-id 1 10 2 3 4 5 6 7 8 9
12345 1 0 0 0 0 0 1 0 1 1
23456 1 0 0 0 0 0 0 0 1 1
34567 1 0 0 0 0 0 1 0 1 1
45678 1 0 1 0 0 0 1 0 1 1
56789 0 0 0 1 0 0 0 1 1 0
678901 1 0 0 0 0 1 0 0 1 0
789012 1 1 1 0 1 1 1 1 1 0
890123 1 0 0 0 0 0 1 0 1 1
901234 1 0 0 0 0 0 0 0 1 1
123456 1 0 0 0 0 0 0 0 1 0
234567 1 0 0 0 0 0 1 0 1 1
345678 1 0 0 1 0 0 1 0 1 1
I would like to have an alert when the there is no survey-status=1 (like in this case provider-id=56789).
Example of the XML (added spaces around the brackets):
< ?xml version="1.0" encoding="UTF-8"? >
< monthlydata xmlns="http://www.xml.example" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
< header >
< provider-name >TEST SYSTEM< /provider-name >
< provider-id >56789< /provider-id >
< sample-size >321< /sample-size >
< sample-type >1< /sample-type >
< /header >
< data >
< administration >
< provider-id >56789< /provider-id >
< patient-id >1234567< /patient-id >
< admission-source >2< /admission-source >
< survey-status >5< /survey-status >
< /administration >
< response >
< cleanliness >7< /cleanliness >
< quiet >9< /quiet >
< language-speak >1< /language-speak >
< /response >
< /data >
< data >
< administration >
< provider-id >56789< /provider-id >
< patient-id >1234566< /patient-id >
< admission-source >1< /admission-source >
< survey-status >1< /survey-status >
< /administration >
< response >
< cleanliness >3< /cleanliness >
< quiet >8< /quiet >
< language-speak >2< /language-speak >
< /response >
< /data >
< /monthlydata >