Hi,
I'm in the same scenario, but trying to get the difference from CREATED_DATE and current timestamp . For that, it is not working.
base_search
| eval it = strptime(CREATED_DATE, "%Y-%m-%d %H:%M:%S")
| eval nowstring=strptime(now(), "%Y-%m-%d %H:%M:%S")
| eval ticket_duration=tostring((now() - it), "duration" )
| table DESCRIPTION,CREATED_DATE,TICKET_STATUS,UPDATE_DATE, ticket_duration
base_search
| convert timeformat='%Y-%m-%dT%H:%M:%S' mktime(CREATED_DATE) mktime(now() AS _now)
| eval duration=(_now-CREATED_DATE)/86400
|table TTID,MANAGER_NAME,SEVERITY,DESCRIPTION,CREATED_DATE,TICKET_STATUS,UPDATE_DATE, duration
In both ways I'm getting null value, ticket_duration=null
Can you please suggest any?
Thanks,
... View more