I have my search set and everything is work fine except the condition. In the search I have this condition in the end of my query search (where "Time Elapsed" > "03:00:00"), this condition does not work if it is like that and it shows all the file. However, if I have it like this( where TimeElapsed > "03:00:00"); it works just fine I don't know why??
This is my search query
index="test" sourcetype=NewIndex| eval timenew= now()- time| eval TimeElapsed=tostring(timenew,"duration")|replace "C:\Users\hxa27\Desktop\NewIndexing\Test\" with ""|rename source as "File Name" |eval "File Create Date"=strftime(time,"%m-%d-%Y %H:%M:%S")|table "File Name" TimeElapsed "File Create Date"
I see. In that case,
where TimeElapsed > "something" is correct because that's the name of the field you're testing against.
where "Time Elapsed" > "something" is comparing two strings with each other, and one is literally "Time Elapsed" rather than the value of the field.
A suggestion for rewriting that query, provided I understand what you're trying to achieve: Leave off the
where entirely, and set the time range to not load events less than three hours old.