All,
Quick one I am stuck on. I want an EVAL statement that takes _indexedtime and adds 7 days to it and creates a field that is human readable.
EVAL-sevendaysfromnow = now() + 7d@d?
Try this:
For every event as per indextime
.. | eval time=strftime(_indextime+604800,"%Y-%m-%d %H:%M:%S")
with this you will get one value that will be always be now + 7 days
..| eval time=strftime(now()+604800,"%Y-%m-%d %H:%M:%S")
Try this:
For every event as per indextime
.. | eval time=strftime(_indextime+604800,"%Y-%m-%d %H:%M:%S")
with this you will get one value that will be always be now + 7 days
..| eval time=strftime(now()+604800,"%Y-%m-%d %H:%M:%S")