https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331324#M61388 <P>Now() is already in epochtime.<BR /> you can see with</P> <PRE><CODE>index=_internal | head 1 | eval late=now() | table late </CODE></PRE> <P>beware that in your eval command you losed one %.</P> <P>Bye.<BR /> Giuseppe</P> Thu, 27 Jul 2017 10:17:27 GMT gcusello 2017-07-27T10:17:27Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331321#M61385 <P>Can someone tell me why this is not working:-</P> <P>I need to filter records having 'Start_Time' within the mentioned range:</P> <P>Working:-</P> <PRE><CODE>index=imt_mobile source="*LTS_Validation_1" |eval early=relative_time(now(),"-3w@w")|eval late=relative_time(now(),"-2w@w")| where Start_Time&lt;late|table "Track" "CO" early Start_Time late| </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3260iAE9A7546424D4692/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here Start_Time was before 'late' so coming fine.</P> <P>Not Working:-</P> <PRE><CODE>index=imt_mobile source="*LTS_Validation_1" |eval early=relative_time(now(),"-3w@w")|eval late=relative_time(now(),"-2w@w")| where Start_Time&lt;"-2w@w"|table "Track" "CO" early Start_Time late| </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3261iAE8E440B810EDC6F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here it is not working!!</P> Thu, 27 Jul 2017 07:23:51 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331321#M61385 dsiob 2017-07-27T07:23:51Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331322#M61386 <P>Hi dsiob,<BR /> sorry but I don't understand your problem:<BR /> in a where condition you have to compare two similar fields: if you use " <CODE>-2w@w</CODE> " Splunk don't understand that you're speaking about a time in epochtime format, so you need to transform "-2w@w" in epochtime format to compare with StartTime.<BR /> To do this you have to use (as in your first example) <CODE>|eval late=relative_time(now(),"-2w@w")| where Start_Time&lt;late</CODE><BR /> So, what is the problem to use eval?<BR /> If instead you need to show in Human readable format the three dates use strftime command:</P> <PRE><CODE>| eval early=strftime(early,"%d/m/%Y %H.%M.%S"), late=strftime(late,"%d/m/%Y %H.%M.%S"), StartTime=strftime(StartTime,"%d/m/%Y %H.%M.%S") </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Thu, 27 Jul 2017 08:31:15 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331322#M61386 gcusello 2017-07-27T08:31:15Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331323#M61387 <P>so in place of "-2w@w" I need to use $mytime.Latest$, If I go with eval late=strftime(late,"%d/m/%Y %H.%M.%S") then It does not work If value of $mytime.Latest$ is "now". It is not able to convert "now" to epochtime</P> Thu, 27 Jul 2017 09:21:41 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331323#M61387 dsiob 2017-07-27T09:21:41Z https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331324#M61388 <P>Now() is already in epochtime.<BR /> you can see with</P> <PRE><CODE>index=_internal | head 1 | eval late=now() | table late </CODE></PRE> <P>beware that in your eval command you losed one %.</P> <P>Bye.<BR /> Giuseppe</P> Thu, 27 Jul 2017 10:17:27 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-records-using-time-modifiers/m-p/331324#M61388 gcusello 2017-07-27T10:17:27Z