Hi, So my search window is from Feb 19 - Feb 23. I would like to have isolate Feb 19 - to have my events start on this date. My time range give me all the dates, but I would like to have them start with Feb 19 and two days after, but still keeping my time range search Feb 19 - Feb 23. I am using the where clause Feb_19>=PlayTime because I would like to have the events starting on Feb_19. Is my concept correct? I just need to start on the Feb_19 using less than or greater than equal to. (index="Example") OR (index="Blah")
| eval SundayTime=case(area="23", effortsTimeStamp),
PlayTime=case(eventType="Fun", loggedHrofEvent)
| eval date="2021-02-19 00:00:00.00"
| eval Feb19=strptime(date,"%Y-%m-%d %H:%M:%S.%6N")
| eval Feb_19=strftime(Feb19,"%Y-%m-%d %H:%M:%S")
| stats values(documents) as documents, values(index) as index, latest(PlayTime) as PlayTime latest(SundayTime) as SundayTime values(Feb_19) as Feb_19 by orders
| where isnull(PlayTime) AND Feb_19>=PlayTime
... View more