Search Condition

hxa27 · ‎03-11-2014

Hi,

I have my search set and everything is work fine except the condition. In the search I have this condition in the end of my query search (where "Time Elapsed" > "03:00:00"), this condition does not work if it is like that and it shows all the file. However, if I have it like this( where TimeElapsed > "03:00:00"); it works just fine I don't know why??

Any idea

Thanks

linu1988 · ‎03-11-2014

then why "Time Elapsed" in where?

martin_mueller · ‎03-11-2014

I see. In that case, where TimeElapsed > "something" is correct because that's the name of the field you're testing against. where "Time Elapsed" > "something" is comparing two strings with each other, and one is literally "Time Elapsed" rather than the value of the field.

A suggestion for rewriting that query, provided I understand what you're trying to achieve: Leave off the where entirely, and set the time range to not load events less than three hours old.

hxa27 · ‎03-11-2014

This is my search query

index="test" sourcetype=NewIndex| eval timenew= now()- _time| eval TimeElapsed=tostring(timenew,"duration")|replace "C:\Users\hxa27\Desktop\NewIndexing\Test\" with ""|rename source as "File Name" |eval "File Create Date"=strftime(_time,"%m-%d-%Y %H:%M:%S")|table "File Name" TimeElapsed "File Create Date"

martin_mueller · ‎03-11-2014

Well, what's the name of the field you're testing the condition against?

Search Condition

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor