I have a time format field "2019-05-02T19:43:00.0000000Z" and need two things: a) convert to y-m-d h:m:s format and b) calculate age (ex. older than 12 hours). What is the best approach to this? Thank you in advance.
Hi devsupport,
take a look at this search:
| makeresults
| eval foo="2019-05-02T19:43:00.0000000Z", myEpoch=strptime(foo, "%Y-%m-%dT%H:%M:%S.%7NZ"), "a)"=strftime(myEpoch, "%Y-%m-%d %H:%M:%S"), "b)"=tostring(now() - myEpoch, "duration")
This will create the time stamp in your expected format and calculates the age since it occurred.
Hope this helps ...
cheers, MuS
Thank you Mus. When running the query, the b column returns this: 3+17:35:59.000000
Can that number be changed to round to the nearest hour? Appreciate the help.
Well, try it with your real events. The provided answer has 2019-05-02T19:43:00.0000000Z
hard coded.
cheers, MuS