I used the answer from this thread to create my query, but I can't figure out how to narrow them down.
https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html
I'm trying to show only the results where OLDEST_ECA Date/time is older than 12 hrs from now so I can trigger an alert. The difference can span up to days/weeks. I have the calculation showing the results appropriately, but can't figure out the filtering part.
OLDEST_ECA stored as: 2018-12-06 18:26:16.486
| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| eval NOW_DATE = strftime(now(), "%Y-%m-%d %H:%M:%S")
| eval diff = tostring((now() - OLDEST), "duration")
| Table OLDEST_ECA NOW_DATE OLDEST NOW diff
Example result:
OLDEST_ECA NOW_DATE OLDEST NOW diff
2018-12-06 08:00:56.831 2018-12-07 14:31:56 1544104856.000000 1544214716 1+06:31:00.000000
Try:
| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...
Try:
| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...
Thanks @whrg, that did the trick! So it seems basically all time is dumbed down into seconds as a base, good to know!