Solved: How do you filter results after using the tostring...

pmhelfrich · ‎12-07-2018

I used the answer from this thread to create my query, but I can't figure out how to narrow them down.
https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html

I'm trying to show only the results where OLDEST_ECA Date/time is older than 12 hrs from now so I can trigger an alert. The difference can span up to days/weeks. I have the calculation showing the results appropriately, but can't figure out the filtering part.

OLDEST_ECA stored as: 2018-12-06 18:26:16.486

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| eval NOW_DATE = strftime(now(), "%Y-%m-%d %H:%M:%S")
| eval diff = tostring((now() - OLDEST), "duration")
| Table OLDEST_ECA NOW_DATE OLDEST NOW diff

Example result:

OLDEST_ECA               NOW_DATE                     OLDEST          NOW            diff
2018-12-06 08:00:56.831 2018-12-07 14:31:56 1544104856.000000   1544214716  1+06:31:00.000000

whrg · ‎12-08-2018

Try:

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...

View solution in original post

whrg · ‎12-08-2018

Try:

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...

pmhelfrich · ‎12-10-2018

Thanks @whrg, that did the trick! So it seems basically all time is dumbed down into seconds as a base, good to know!

How do you filter results after using the tostring "duration"?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...