@gfuente: I tried this also.
|eval swipe=strptime($In Swipe$,'%d/%m/%y %H:%M:%S') | eval login=strptime(LoginTime,'%d/%m/%y %H:%M:%S') | eval diff = swipe-login | where diff > 0
Still it says, " no result"
Below are the sample of logs:
Index 1(TimeStamp field=In Swipe😞
EmpID,Asset,EmpName,3/11/2015 23:55
Index 2(TimeStamp field=LoginTime😞
EmpID,CardNumber,EmpName,3/11/2015 22:18
In these logs, I need difference of the timestamp fields, so that I can check the sequence of logs for the same EmpID, whether LoginTime is prior to In Swipe.
Thanks
... View more