Hi,
I want to groups event times in ranges relative to the current time. Currently this method does not work. The field I'm using is not the event time but a property of a log, so the event looks something like this:
logtime (taken as upload date), STR_TIME(1st detection date "2013-11-3"), prop1, prop2
my chart is: chart count(prop1) over AGE by prop2 usenull=f | sort + prop2
Code:
eval STR_TIME=strptime(detected_date, "%Y-%m-%d")
| eval AGE=case(STR_TIME <= time(-864000s), "10 Days",
STR_TIME > time(-864000s) AND STR_TIME < time(-2592000s), "10 to 30",
STR_TIME >= time(-2592000s) AND STR_TIME < time(-7776000s), "30 to 90",
STR_TIME >= time(-7776000s) AND STR_TIME < time(-15552000s), "90 to 180",
STR_TIME >= time(-15552000s), "180 Days Plus", "180 Days Plus" ) | chart count(prop1) over AGE by prop2 usenull=f | sort + prop2
Error:
Error in 'eval' command: The expression is malformed. Expected ).
I have also tried nested IF statements. I can't find any discussion of using maths within a "case" of "if" eval.
Also tried:
= (time()- seconds)
Are calculations like this possible?
Try this
Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus") | Next search terms...
To check with current time
Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus") | Next search terms...
Try this
Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus") | Next search terms...
To check with current time
Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus") | Next search terms...
So adding "| eval STR_TIME = (now()-STR_TIME)|" has allowed the relative calculation of events, where I had previously tried this within a single eval with the cases.
Hi Strive,
Your final edit has worked! Cheers
Check my edited answer
Hi Strive,
This has produced some output as a start (I have tried for quite a few hours :)), but all events are in "180 Days Plus" and no further cases seem to be met.
The other concern with this is that I want it relative to today, I'm not sure having literals will work.