I have events containing field "Agent_Local_Time="9/19/2016 1:36:19 PM", I use EVAL to format the time "eval final_time=strftime(strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p"),"%Y-%b-%d")" and also I EVAL start_time and end_time as below:
start_date=strptime("3/1/2016","%m/%d/%Y")
end_date=strptime("8/31/2016","%m/%d/%Y")
can i compare final_time between start_date and end_date like below:
| where final_time>start_time AND final_time<end_time
is there any solution if it can't.
thanks.
You can keep (at least temporarily) the format of final_time to epoch and then you can compare it with start_time and end_time, like this
...your search | eval final_time=strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p") | evalstart_date=strptime("3/1/2016","%m/%d/%Y") | eval end_date=strptime("8/31/2016","%m/%d/%Y")
| where final_time>start_time AND final_time<end_time |eval final_time=strftime(final_time,"%Y-%b-%d")
thanks, it works now.
You can keep (at least temporarily) the format of final_time to epoch and then you can compare it with start_time and end_time, like this
...your search | eval final_time=strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p") | evalstart_date=strptime("3/1/2016","%m/%d/%Y") | eval end_date=strptime("8/31/2016","%m/%d/%Y")
| where final_time>start_time AND final_time<end_time |eval final_time=strftime(final_time,"%Y-%b-%d")