I have a input lookup file called agingalertreport. The content looks like this.
|inputlookup agingalertreport
alerttime alertname hostname
Mon Aug 17 04:55:02 2015 Space Low vsa116122
Now I want to create another column called age which will calculate and give me the age of the alert according to today's date, telling how many days or months old this alert is.
Can someone help me with the search?
Here's one way to get the age in days.
... | eval age=(now() - strptime(alerttime,"%a %b %d %H:%M:%S %Y"))/86400 | ...
Here's one way to get the age in days.
... | eval age=(now() - strptime(alerttime,"%a %b %d %H:%M:%S %Y"))/86400 | ...
|inputlookup agingalertreport| eval age=(now() - strptime(alerttime,"%a %b %d %H:%M:%S %Y"))/86400
alerttime alertname hostname
Tue Sep 1 05:37:21 2015 FTP Port is not responding on MO-57CCC8504.dc18.saas.sap.corp MO-57CCC8504.dc18.saas.sap.corp
Mon Aug 24 10:32:36 2015 DMZ Server - GLOBALSCAPE Process is not running dc15sftpdmz01.sha.sf.priv dc15sftpdmz01.sha.sf.priv
Mon Aug 17 04:55:02 2015 vsa116122 / Space Low (Total=7.87 GB, %Used=73.16 %) vsa116122
I am not getting the required result saying age.
I tried like passing below search, but no results.
|inputlookup agingalertreport| eval age=(now() - strptime(alerttime,"%a %b %d %H:%M:%S %Y"))/86400 | fields hostname age
hostname age
MO-57CCC8504.dc18.saas.sap.corp
dc15sftpdmz01.sha.sf.priv
vsa116122
Why is the age column not getting populated?
Thanks but still i am not getting the age field loaded.
|inputlookup agingalertreport| eval age=(now() - strptime(alerttime,"%a %b %d %H:%M:%S %Y"))/86400 | fields hostname age
hostname age
MO-57CCC8504
dc15sftpdmz01.sha.sf.priv
vsa116122