Drop the equals sign between your string
"rehire date" and the
earliest="..." and you should be good.
Edit: Now that
rehire_date has been confirmed as an extracted field that's different from
_time, using the
latest filters is not going to work. Instead, you'll need to set your time range as wide as necessary to match your event's
_time values and run a search like this:
keywords that identify your events | where rehire_date >= strptime("12/01/2014", "%m/%d/%Y") AND rehire_date < strptime("01/01/2015", "%m/%d/%Y")
Note, I have added a day to the end because you mentioned "through 12/31/2014", implying that rehires that happen on the 31st should still be found.
Remove the equal sign after the "rehire date" ?
"rehire date" earliest="12/01/2014:00:00:00" latest="12/31/2014:00:00:00"
Or should I be adding another "=" between
I'm trying to find all rehires between 12/01/2014 through 12/31/2014. I'm getting 0 events when I know I should between getting at least 4 people that come up.
you have to change the earliest and latest values in the below query and try
eval begindate="$earliest$" | eval epochdaystart=if(isnum(begindate), begindate, relativetime(now(), begindate)) | eval epochdaystart= strftime(epochdaystart,"%Y%m%d") | eval dateepoch=strftime(time,"%Y%m%d") | eval latest="$latest$" | eval enddate=if(latest=="now","@d",latest) | eval epochdayend=if(isnum(enddate), enddate, relative_time(now(), enddate)) | eval epochdayend= strftime(epochdayend,"%Y%m%d") | where dateepoch >=epochdaystart AND dateepoch <=epochdayend
I have updated my answer to reflect that the rehire date is in fact not the timestamp of the event but rather an unrelated extracted field.
Thank you! I was able to find the correct number of people using the following:
"Rehire Date">="2014/12/01 00:00:00" AND "Rehire Date"<"2015/01/01 00:00:00"
Is "rehire date" an extracted field? Is timestamp for your events is same as "rehire date" ? Can you post some sample entries?
Yes, the "rehire date" is an extracted field. The timestamp of the events is a different date as the "rehire date
to post the sample I'd have to reproduce something fake.