Im pretty new to splunk, so my approach may be incorrect. However, At this time my query is as below:
search query
| eval pollingTime=strptime(requestDate,"%Y-%m-%d %H:%M:%S.%3N")
| eval drainingTime=strptime(receivedDate,"%Y-%m-%d %H:%M:%S.%3N")
| eval timeDiff=tostring((drainingTime-pollingTime),"duration")
| table requestDate receivedDate timeDiff
Which above Im able to obtain timeDiff value in the format (00:00:0.000000). If I want check wether the value us greater then a hour how should I go about doing this?
My thoughts were something like:
| eval isDelayed=if(timeDiff >= ? )
... View more