Thank you very much for the answers! I'm having a great deal of trouble with time formatting though. As a test, I've tried this search query:
sourcetype=bordernat [| gentimes start=-1 | eval userinput=strptime("2017-02-05 15:00:00","%Y-%m-%d %H:%M:%S") | eval earliest=userinput-7200]
But that always returns:
Unable to parse 1486529999 with format: %m/%d/%Y:%H:%M:%S
I see that it's trying to parse epoch -> standard datetime but I don't know where in the query it's doing this and how to fix it.
Would you happen to have any ideas?
... View more