How do I compare dates and exclude the event if it is older?
I have here my table from transaction command. I want to compare the ReportedTime to Occurtime. If it is older then NeSn will be excluded.
What's the query you're using to build out this table ? It seems to me that most of your fields are multi-value fields.
You're probably better off making sure that each line has a single ReportedTime and Occurtime. Once you do that you can use the answer posted by Rich to compare both timestamps.
It may be easier to exclude the events before the transaction command. For example,
| where strptime(OccurTime, "%Y-%m-%d %H:%M:%S") < strptime(ReportedTime, "%Y-%m-%d %H:%M:%S") | transaction ...
Date strings have to be converted to integers before they can be compared. Hence the strptime() calls.
Thanks for your reply. I tried to add it before or after the transaction but it is still giving me the old dates.