I have a query where in I am subtracting 2 dates from the current time. While my query works, I have noted that if the difference is 2 days in the past then this is reflected as a positive number in my table. For example:
I have the following records
| expiry_date | request_id |
| 05/08/2021 | 1234 |
| 05/08/2021 | 4567 |
| 01/08/2021 | 8901 |
| 30/08/2021 | 2345 |
My query is
|inputlookup mycurrentrequests.csv
| eval requests_past=round(abs((now()-strptime('expiry_date', "%d/%m/%Y")))/86400,0)
| where requests_past > 1 AND requests_past < 30
The search will run, however what I will now see in my view is
| expiry_date | request_id | requests_past |
| 05/08/2021 | 1234 | 2 |
| 05/08/2021 | 4567 | 2 |
| 01/08/2021 | 8901 | 2 |
| 30/08/2021 | 2345 | 27 |
For the expiry_date of 01/08/2021 this is in the past so technically "2" is correct but I want this to be presented as "-2".
I will then use this to effectively do a "where requests_past is <0" as well as a "where requests_past is > 0"
