json spath w/ date

... | spath input=message | where strptime('updated_at', "%Y-%m-%d %H:%M:%S %z") > strptime("2013-08-07 00:00:00", "%Y-%m-%d %H:%M:%S")

purpose:

searches for events which contain a field called "message". That field contains json payload and is expanded via a call to spath. Then a value from the resulting expansion is used to find events that contain a date meeting certain criteria.

requirements:

comments: