Hi I am trying to see for a ticket that is not assigned to an analyst for the last 15 mins from the time of arrival. I have only the timestamp system_updated meaning when ever there is any change in the INC the timestamping gets updated for that event. index="servicenow" INC* sourcetype="snow:incident" |where assigned_to = "" |rename sys_updated_on as earliest |eval date = strptime(earliest, "%Y-%m-%d %H:%M:%S.%3N") | eval start=strftime(strptime(earliest, "%Y-%m-%d %H:%M:%S.%2N") + 1, "%Y-%m-%d %H:%M:%S.%2N") | eval end=strftime(strptime(earliest, "%Y-%m-%d %H:%M:%S.%2N") + 900, "%Y-%m-%d %H:%M:%S.%2N") |table ticket_number start end So here I have taken the time when the assigned to field was empty and that is the iNC created time as well. From that next second to the 15 min I need to know the series of events with the help of start and end values. When I do so I am not able to see any events. Please help
... View more