Thank You!
You put me on the correct path. I needed the following.
sourcetype=qps | where strptime(last_updt_dtm,"%Y-%m-%d %H:%M:%S") < relative_time(now(),"-2mon@mon")
... View more
I have 9999 events where the earliest one is:
last_updt_dtm = 2010-09-30 17:43:48
sourcetype=qps _time < now()
Returns all 9999
The following two searches fail
sourcetype=qps last_updt_dtm < relative_time(now(),"-2mon@mon")
sourcetype=qps _time < relative_time(now(),"-2mon@mon")
Any help would be much appreciated!
Thanks!
... View more