Solved: How do you filter results after using the tostring...

pmhelfrich · ‎12-07-2018

I used the answer from this thread to create my query, but I can't figure out how to narrow them down.
https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html

I'm trying to show only the results where OLDEST_ECA Date/time is older than 12 hrs from now so I can trigger an alert. The difference can span up to days/weeks. I have the calculation showing the results appropriately, but can't figure out the filtering part.

OLDEST_ECA stored as: 2018-12-06 18:26:16.486

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| eval NOW_DATE = strftime(now(), "%Y-%m-%d %H:%M:%S")
| eval diff = tostring((now() - OLDEST), "duration")
| Table OLDEST_ECA NOW_DATE OLDEST NOW diff

Example result:

OLDEST_ECA               NOW_DATE                     OLDEST          NOW            diff
2018-12-06 08:00:56.831 2018-12-07 14:31:56 1544104856.000000   1544214716  1+06:31:00.000000

whrg · ‎12-08-2018

Try:

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...

View solution in original post

whrg · ‎12-08-2018

Try:

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...

pmhelfrich · ‎12-10-2018

Thanks @whrg, that did the trick! So it seems basically all time is dumbed down into seconds as a base, good to know!

How do you filter results after using the tostring "duration"?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation