Solved: How do you filter results after using the tostring...

pmhelfrich · ‎12-07-2018

I used the answer from this thread to create my query, but I can't figure out how to narrow them down.
https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html

I'm trying to show only the results where OLDEST_ECA Date/time is older than 12 hrs from now so I can trigger an alert. The difference can span up to days/weeks. I have the calculation showing the results appropriately, but can't figure out the filtering part.

OLDEST_ECA stored as: 2018-12-06 18:26:16.486

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| eval NOW_DATE = strftime(now(), "%Y-%m-%d %H:%M:%S")
| eval diff = tostring((now() - OLDEST), "duration")
| Table OLDEST_ECA NOW_DATE OLDEST NOW diff

Example result:

OLDEST_ECA               NOW_DATE                     OLDEST          NOW            diff
2018-12-06 08:00:56.831 2018-12-07 14:31:56 1544104856.000000   1544214716  1+06:31:00.000000

whrg · ‎12-08-2018

Try:

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...

View solution in original post

whrg · ‎12-08-2018

Try:

| eval OLDEST = strptime(OLDEST_ECA, "%Y-%m-%d %H:%M:%S")
| where now()-OLDEST<12*3600
...

pmhelfrich · ‎12-10-2018

Thanks @whrg, that did the trick! So it seems basically all time is dumbed down into seconds as a base, good to know!

How do you filter results after using the tostring "duration"?

Buttercup Games Tutorial Extension - part 9

Buttercup Games Tutorial Extension - part 8

Introducing the Splunk Developer Program!

Are you a member of the Splunk Community?

How do you filter results after using the tostring "duration"?

Buttercup Games Tutorial Extension - part 9

Buttercup Games Tutorial Extension - part 8

Introducing the Splunk Developer Program!