I have events that only time stamp is the Splunk generated _time and I only need to return events after a certain date, 3/22/2018. Simply adding "Where _time > 3/22/2018" does not work and I have attempted converting _time and comparing against that to no avail.
Any suggestions?
If _time
is the time you want to use for searches, using the time picker should work just fine.
Try this
index=...
| eval epoch=strptime("YOUR_TIME_FIELD", "%m/%d/%Y")
| where epoch >1521748648