How do you filter results after using the tostring "duration"?

pmhelfrich — Fri, 07 Dec 2018 20:34:29 GMT

I used the answer from this thread to create my query, but I can't figure out how to narrow them down.
https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html

I'm trying to show only the results where OLDEST_ECA Date/time is older than 12 hrs from now so I can trigger an alert. The difference can span up to days/weeks. I have the calculation showing the results appropriately, but can't figure out the filtering part.

OLDEST_ECA stored as: 2018-12-06 18:26:16.486

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| eval NOW_DATE = strftime(now(), "%Y-%m-%d %H:%M:%S")
| eval diff = tostring((now() - OLDEST), "duration")
| Table OLDEST_ECA NOW_DATE OLDEST NOW diff

Example result:

OLDEST_ECA               NOW_DATE                     OLDEST          NOW            diff
2018-12-06 08:00:56.831 2018-12-07 14:31:56 1544104856.000000   1544214716  1+06:31:00.000000

Re: How do you filter results after using the tostring "duration"?

whrg — Sat, 08 Dec 2018 09:10:33 GMT

Try:

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...

Re: How do you filter results after using the tostring "duration"?

pmhelfrich — Mon, 10 Dec 2018 17:46:46 GMT

Thanks @whrg, that did the trick! So it seems basically all time is dumbed down into seconds as a base, good to know!

topic Re: How do you filter results after using the tostring "duration"? in Getting Data In

How do you filter results after using the tostring "duration"?

Re: How do you filter results after using the tostring "duration"?

Re: How do you filter results after using the tostring "duration"?