Solved: How can I use the "where" function to find where t...

GHOST27 · ‎07-25-2017

Ex: | where first_seen<"24h" or where first_seen="-1d" this is what I used but obviously it's wrong.

somesoni2 · ‎07-25-2017

You would need to make use of relative_time function in there.

If first_seen is in epoch format, then try like this

..| where first_seen>=relative_time(now(),"-24h")

If it's not in epoch, need to convert it to epoch to compare

..| where strptime(first_seen,"<<TimeFormatHere>>") >=relative_time(now(),"-24h")

somesoni2 · ‎07-25-2017

You would need to make use of relative_time function in there.

If first_seen is in epoch format, then try like this

..| where first_seen>=relative_time(now(),"-24h")

If it's not in epoch, need to convert it to epoch to compare

..| where strptime(first_seen,"<<TimeFormatHere>>") >=relative_time(now(),"-24h")

GHOST27 · ‎07-25-2017

Your are the man with the juice!!!

How can I use the "where" function to find where the output will be only the last 24hrs of the results?