Archive

I have an stats result that has a latest(_time) in the config and want to only include items where the latest is N minutes old

leonardr
New Member

index=product_iround_prod Level=INFO Message="Form Synchronizer complete" | stats latest(_time) AS timestamp, latest(RecordsProcessed) AS RecordCount by ProfileName FormName | convert ctime(timestamp) | sort timestamp asc

how do I filter this down to where the latest is older than say 15 minutes ago ?

Tags (1)
0 Karma
1 Solution

gcato
Contributor

Hi leonardr,

Try this

.. | eval mins_back = relative_time(now(), "-15m@m") | where timestamp >= mins_back
|  convert ctime(timestamp)  | sort timestamp asc

Note that timestamp value must still be in epoch time (matching mins_back) for the where to work. Also the where is greater than equal so maybe not exactly what you want. If you want to match a time string exactly then this can get a bit more tricky. Maybe provide some examples if you need more help.

View solution in original post

0 Karma

gcato
Contributor

Hi leonardr,

Try this

.. | eval mins_back = relative_time(now(), "-15m@m") | where timestamp >= mins_back
|  convert ctime(timestamp)  | sort timestamp asc

Note that timestamp value must still be in epoch time (matching mins_back) for the where to work. Also the where is greater than equal so maybe not exactly what you want. If you want to match a time string exactly then this can get a bit more tricky. Maybe provide some examples if you need more help.

View solution in original post

0 Karma

leonardr
New Member

Awesome thank you !

0 Karma