Hi
Can you please tell me how can i extract the events for which the difference of current_time and timestampOfReception is greater that 4 hours for the below Splunk query :
`eoc_stp_event...
See more...
Hi
Can you please tell me how can i extract the events for which the difference of current_time and timestampOfReception is greater that 4 hours for the below Splunk query :
`eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 (messageType= seev.047* OR messageType= SEEV.047*) status = SUCCESS targetPlatform = SRS_ESES
NOT [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Received Disclosure Response Command"
| spath input=Properties.appHdr
| rename bizMsgIdr as messageBusinessIdentifier
| fields messageBusinessIdentifier ]
| eval Current_time =strftime(now(),"%Y-%m-%d %H:%M:%S ")
| eval diff= Current_time-timestampOfReception
| fillnull timestampOfReception , messageOriginIdentifier, messageBusinessIdentifier, direction, messageType, currentPlatform, sAAUserReference value="-"
| sort -timestampOfReception
| table diff , Current_time, timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform,
| rename timestampOfReception AS "Timestamp of reception", originPlatform AS "Origin platform", sourcePlatform AS "Source platform", targetPlatform AS "Target platform", senderIdentifier AS "Sender identifier", receiverIdentifier AS "Receiver identifier",
messageOriginIdentifier AS "Origin identifier", messageBusinessIdentifier AS "Business identifier", direction AS Direction, currentPlatform AS "Current platform", sAAUserReference AS "SAA user reference", messageType AS "Message type"