Hi,
I am running the below script successfully. However, I would like to now minimise the return results by only collecting records that have a submit_date greater than "01 June 17" for example. I have tried a few options from threads found here but no success. The records either come back ignoring the date filter or no records come back at all.
I have tried the following after all other evals in my script:
|eval mylimit=strptime("01/06/2017 00:00:00", "%d/%m/%y %H:%M:%S")| where submit_date > mylimit
|eval mylimit=strftime("01/06/2017 00:00:00", "%d/%m/%y %H:%M:%S")| where submit_date > mylimit
Can anyone assist?
Full operation code:
index=itam sourcetype=itam_inc_xml |stats latest(product_name) as Application , latest(priority) as priority , latest(urgency) as urgency , latest(impact) as impact , latest(submit_date) as submit_date, latest(submitter) as submitter, latest(last_resolved_date) as last_resolved_date, latest(closed_date) as closed_date, latest(days_open) as days_open, latest(status) as status, latest(assigned_group) as assigned_group , latest(service_type) as service_type ,latest(description) as summary, latest(detailed_description) as notes , latest(owner) as owner , latest(owner_group) as owner_group , latest(assigned_support_company) as assigned_support_company , latest(assigned_support_organization) as assigned_support_organization , latest(login_id) as login_id , latest(first_name) as first_name , latest(last_name) as last_name by incident_number|eval days_open= round(((now()-(submit_date/1000))/86400),2)|eval submit_date=strftime(submit_date/1000,"%d/%m/%y %H:%M:%S")| eval last_resolved_date=strftime(last_resolved_date/1000,"%d/%m/%y %H:%M:%S")| eval closed_date=strftime(closed_date/1000,"%d/%m/%y %H:%M:%S")|lookup Department_list Employee AS login_id OUTPUTNEW Department|table incident_number, Application, priority, urgency, impact, submit_date, submitter, last_resolved_date, closed_date, days_open, status, assigned_group, service_type, summary, notes, owner, owner_group, assigned_support_company, assigned_support_organization, login_id, first_name, last_name, Department|where Department!=""
... View more