I have the following search:
..index bla bla...
| eval eD_A=strptime(D_A, "%Y-%m-%d %H:%M:%S.%N") , eD_AV=strptime(D_AV, "%Y-%m-%d %H:%M:%S.%N")
| eval days=floor((eD_A- e D_AV)/86400)
| stats count as daycount by days
| eval days = if(days<=7,"Binnen KPI","Buiten KPI")
| stats sum(daycount) as daycount by days
The problem I have is that some events don't have the D_A field because the proces is not ready yet. I still would like to try calculate the days between the D_AV and now in the case when D_A has no date yet. Another question I have is how i can calculate with the earliest D_AV field because this is also a date that can differ.
↧