Hi,
I have 2 fields I would like to only display **lastLogonTimestamp** values that are over 90 days of the **_time** value
Thanks
lastLogonTimestamp
2018-05-30T03:19:45.368884Z
_time
2018-06-05T15:25:27.999-04:00
| eval LastLogon=strptime(lastLogonTimestamp,"%Y-%m-%dT%H:%M:%S.%6N")
| eval LastLogon90days=LastLogon+(90*24*60*60)
| where LastLogon90days < _time
| eval LastLogon=strptime(lastLogonTimestamp,"%Y-%m-%dT%H:%M:%S.%6N")
| eval LastLogon90days=LastLogon+(90*24*60*60)
| where LastLogon90days < _time
Thanks kmaron
That works great
Could you do the same for the following?:
I would like to only display TERMINATION_DT values that are over 90 days of the _time value
TERMINATION_DT
2006-03-09 00:00:00.0
_time
2018-06-07T09:09:42.819-04:00
I appreciate this.
Alan
It's going to be the same thing. The only change is in the format of the strptime (which you can find here: https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Commontimeformatvariables)
| eval TERMINATION=strptime(TERMINATION_DT,"%Y-%m-%d %H:%M:%S.%N")
| eval TERMINATION90days=TERMINATION+(90*24*60*60)
| where TERMINATION90days < _time
Awesome Thanks
Take a look at this thread - https://answers.splunk.com/answers/180660/how-to-convert-a-timestamp-field-to-epoch-format.html