I confirm that with -10d@d it doesnt works
index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot") | eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S") | eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S") | eval secondlastday=relative_time(now(), "-2d@d") | eval nexttendays=relative_time(now(), "-10d@d") | where (LastLogon < secondlastday) AND (LastBootUpTime > nexttendays) | table LastLogon LastBootUpTime
and I just want to display a result if LastLogon < 2 days from the current day and if LastReboot >10 days from the current day.
when i do the code below i have results but I need to add my where conditions
index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot")
| eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S")
| eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S")
| eval secondlastday=relative_time(now(), "-2d@d")
| eval nexttendays=relative_time(now(), "10d@d")
| dedup host
| table host LastLogon LastBootUpTime
So if i do this I have results
but whenever I add AND (LastBootUpTime > nexttendays) i have no results even if I modifiy the relative time!
index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot")
| eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S")
| eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S")
| eval secondlastday=relative_time(now(), "-2d@d")
| eval nexttendays=relative_time(now(), "10d@d")
| dedup host
| where (LastLogon < secondlastday)
| table host LastLogon LastBootUpTime
... View more