i have a query as below...
search 1|join type=left [search2]
the query returns the following fields...
aaaa | acc | det | 2014/1/2 01:48:01 CST | eee | 2014/11/27 01:48:01 CST
i want to find the difference of date/time of dateofSearch1 and dateofSearch2... and add a new column to show the difference..
Can anyone help me to do this....
try this
search 1 | join type=left [search2] | eval diffTime=dateofSearch2 - dateofSearch1
try this
search 1 | join type=left [search2] | eval diffTime=dateofSearch2 - dateofSearch1
Worked with few modifications in my query...
eval diffTime=strptime(dateofSearch2, "%Y/%m/%d %H:%M:%S")-strptime(dateofSearch1, "%Y/%m/%d %H:%M:%S")