How to compare an empty field with epoch time?

jam00 · ‎05-23-2019

Hello,

I have two fields: dateTimeA and dateTimeB.
When dateTimeA is empty, I add "NULL" string. Then I use strptime(dateTimeB) to get a numeric value based on epoch. How can I use dateTimeA to compare with a numeric value?

| eval dateTimeA=if((dateTimeA == "NULL"),dateTimeA,strptime(dateTimeA,"%Y-%m-%dT%H:%M:%S")) 
| eval dateTimeB=strptime(dateTimeB,"%Y-%m-%dT%H:%M:%S")
| where (dateTimeA < dateTimeB)

Thank you in advance.

koshyk · ‎05-23-2019

Please try to put 1 instead of NULL (or current time using now() )

 | eval dateTimeA=if((dateTimeA == "NULL"),"1",strptime(dateTimeA,"%Y-%m-%dT%H:%M:%S")) 
 | eval dateTimeB=strptime(dateTimeB,"%Y-%m-%dT%H:%M:%S")
 | where (dateTimeA < dateTimeB)

..

jam00 · ‎05-23-2019

dateTimeA field has dates or empties. If I use 1 that means one second, isn't it? So if I compare it with an epoch value near 1 the evaluation would be true... 1 < 1

jam00 · ‎05-23-2019

but I have an eval dateTimeA =coalesce(dateTimeA,"NULL") prior.

How to compare an empty field with epoch time?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!