I used the answer from this thread to create my query, but I can't figure out how to narrow them down.
[https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html][1]
I'm trying to show only the results where OLDEST_ECA Date/time is older than 12 hrs from now so I can trigger an alert. The difference can span up to days/weeks. I have the calculation showing the results appropriately, but can't figure out the filtering part.
OLDEST_ECA stored as: 2018-12-06 18:26:16.486
| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| eval NOW_DATE = strftime(now(), "%Y-%m-%d %H:%M:%S")
| eval diff = tostring((now() - OLDEST), "duration")
| Table OLDEST_ECA NOW_DATE OLDEST NOW diff
Example result:
OLDEST_ECA NOW_DATE OLDEST NOW diff
2018-12-06 08:00:56.831 2018-12-07 14:31:56 1544104856.000000 1544214716 1+06:31:00.000000
[1]: https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html
↧