Hi,
I have the below query to compare the date I am extracting from logs with the current date:
(sourcetype="XYZ") OR (sourcetype="ABC")
| rex "\|Some String\|\w+\|(?<Field1>[AEU]\d{9})\|"
| rex "(?P<Date>\d+\/\d+\/\d+\|\d+:\d+:\d+.\d+[^\|]+)"
| eval DatetimeEpoch=strptime(Date,"%Y/%m/%d %H:%M:%S")
| eval epoch30minsago=relative_time(now(), "-30m@m" )
| stats first(sourcetype) as last_sourcetype first(Date) by Field1
| search last_sourcetype="XYZ"
| where DatetimeEpoch>=epoch30minsago
I want to print out the values of Field1 if the field "Date" is 30 mins behind the current time.
The format of the filed "Date" is below:
2013/12/12|07:01:01.311
2013/12/12|07:20:17.464
2013/12/12|07:23:52.217
2013/12/12|07:24:52.480
2013/12/12|07:25:42.285
2013/12/12|07:25:49.494
2013/12/12|07:26:24.669
Please let me know how can I compare this with the current time/date. My query above is not working probably because the field "Date" is in string format and splunk is not able to convert it to epoch?
... View more