tag=tagtagtag level=error | eval Period=if(_time>=strftime("4/9/2016","%m/%d/%Y"),"New","Old") | stats values(Period) as Period by message | where mvcount(Period)=1 AND Period="New"
Gave me a bunch of hits before and after 4/9. 114k between 4/7 - 4/11 (the big date range I chose). Nothing in stats.
=====================================================
I almost got it with this...
*|set diff [search tag=$env$ level=error earliest=4/9/2016:12:00:00 latest=4/9/2016:13:00:00 | dedup message] [search tag=$env$ level=error | dedup message ] | eval newTime=strftime(_time, "%m-%d-%y %H:%M:%S") | table _time, newTime, message | where newTime>=strftime("04-09-16 12:00:00", "%m-%d-%y %H:%M:%S") | table message | dedup message *
newTime comes out like this: 04-09-16 12:59:58
However, when I add the "where newTime>..." clause, I go from 200 results to 0 results. Which means I messed that up. New time isn't actually necessary, I just couldn't get the string format to match the original _time format of 2016-04-09 12:59:58.114. At any rate, I want to filter the table at that step to show only rows with time past the given MM/DD/YY/HH/MM. Don't really need seconds, but those can be included if it's easier that way.
I would like for earliest=4/9/2016:12:00:00 and the bolded in :: newTime>=strftime("04-09-16 12:00:00", "%m-%d-%y %H:%M:%S") to be able to be parametrized, if possible. I hope to attach a drop down value to it so the time can be picked in the dashboard. So it'd be something like earliest=$releaseTime$ and newTime>=strftime($releaseTime$, "%m-%d-%y %H:%M:%S"), essentially.
At any rate, my first goal is to get the proof of concept working, then I can worry about making it take paramters instead of hard coded times.
... View more