I want to compare two dates using case statement
Theoretically, case( _time > "2016-01-01") . If True, Print "Yes" in New column status1
Below is the search, but I am not getting any results. Can you please help?
index="test4" sourcetype="test2" | convert timeformat="%Y-%m-%d" ctime(_time) AS c_time | eval status1 = case(c_time < strptime(strptime("2016-01-01","%Y-%m-%d"),"%Y-%m-%d") , "Yes") |table _time, c_time, Status1 , Name, Rank
Note: I'm using strptime twice to convey from epoch.
... View more