Hi, I have a lookup table which has the list of email id's and the dates they logged into the application as below,
Username time
testuser1@gmail.com 03/31/2018
testuser2@gmail.com 03/30/2018
if I use the date range on the Splunk dashboard, the query is working without any issue, because it shows the timestamp on the query, but if I choose the present timeframe such as last 1 day, last 30 minutes, it is populating as now and -15m, I'm unable to convert the time format, Could anyone please help me to resolve the issue?
Query Format -
| eval mytime1=strftime($time.latest$,"%Y%m%d")
| eval mytime2=strftime($time.earliest$,"%Y%m%d")
| where mytime <= mytime1 and mytime >= mytime2
Present time frame-
| eval mytime1=strftime(now,"%Y%m%d")
| eval mytime2=strftime(-15m,"%Y%m%d")
| where mytime <= mytime1 and mytime >= mytime2
Date range -
| eval mytime1=strftime(1516942800,"%Y%m%d")
| eval mytime2=strftime(1514782800,"%Y%m%d")
| where mytime <= mytime1 and mytime >= mytime2
Thanks,
Dhana
... View more