Splunk Search

Compare Current date with field Date

dlnewman
Loves-to-Learn

I am trying to compare the current date with the lastInformTime I have tried | eval but nothing seems to work. 

index="device_list" pppUsername=* provRecordStatus=Succeeded
| eval timenow=now()
| spath lastInformTime
| search lastInformTime>=timenow
| dedup macAddress, serialNumber
| table ipAddress, serialNumber, lastInformTime, pppUsername, macAddress

The _time that is brought in during the import does not compare with any date in the export. I am not sure where Splunk is getting it from. Is there a way to set the _time to the lastInformTime? TIA

0 Karma

to4kawa
Ultra Champion

| eval _time=lastInformTime

or

| rename lastInformTime as _time

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...