| rename "Checkin Date" as Cdate
|eval epochdate=strptime(Cdate, "%d.%m.%Y")
| eval c_time=strftime(epochdate,"%d-%m-%Y")
| eval bd_earliest_epoch = strptime("05-04-2017","%d-%m-%Y")
| eval p_time=strftime(bd_earliest_epoch,"%d-%m-%Y")
| where (c_time < p_time)
| table ItemName c_time p_time
This is not returning expected values.
below are the result events
ItemName c_time p_time
Project_2 04-08-2019 05-04-2017
VAR_T_IB 01-04-2019 05-04-2017
VAR_ItemConfig_IB 02-01-2019 05-04-2017
VAR_Item_VAR 02-01-2017 05-04-2017
Ideally it should have only shown my last event. but it shows even bigger dates that 05-04-2017
... View more