Hi,

I am using below query to fetch change request events created in last 30days...but when i seletc time range i am getting alltime events itseems.

Can anyone suggest how to get events only created in previous month or specific time period.

Query Used:
index=servicenow eventtype=snow_change* sourcetype="snow:change_request" (change_state_name="Work Complete" OR change_state_name=Closed) | dedup number | eval diff=strptime(dv_work_end,"%Y-%m-%d %H:%M:%S")-strptime(dv_work_start,"%Y-%m-%d %H:%M:%S")
| eval Downtime=round((diff/60),3)
| table number Downtime host dv_work_start dv_work_end

Events shown:

100 Per Page
Format
Preview
Prev1...3456789...Next
number Downtime host dv_work_start dv_work_end
CHG0129357 300.000 kmci4odw2023 2020-01-19 21:00:00 2020-01-20 02:00:00
CHG0129566 120.000 kmci4odw2023 2020-01-19 23:30:00 2020-01-20 01:30:00
CHG0129494 99.250 kmci4odw2023 2020-01-19 23:48:54 2020-01-20 01:28:09
CHG0129795 4320.367 kmci4odw2023 2020-01-20 10:55:10 2020-01-23 10:55:32
CHG0129116 1110.000 kmci4odw2023 2020-01-20 13:00:00 2020-01-21 07:30:00