https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520260#M146498 <P>what's the error ?</P><P>Tried below and working fine</P><LI-CODE lang="markup">|makeresults count=5|eval epochtime=now()|eval epochtime=epochtime - 10 |where epochtime &lt; now()</LI-CODE> Fri, 18 Sep 2020 07:55:11 GMT renjith_nair 2020-09-18T07:55:11Z https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520249#M146496 <P>Hi,</P><P>I am trying to change the EPOCH value in search having where clause in datamodel using variable but not working&nbsp; so please help as i have tried different options but didn't work.</P><P>from datamodel=Qualys_prod_ext.Qualys_prod where (nodename = Qualys_prod) Qualys_prod.QID=* Qualys_prod.IP=* Qualys_prod.owner="SRE-DIS-ECO-FEA" Qualys_prod.managed=* Qualys_prod.sev="*" Qualys_prod.LAST_FOUND_DATETIME_EPOCH &lt;<SPAN>1600411282</SPAN> AND Qualys_prod.LAST_FOUND_DATETIME_EPOCH &gt; 1596808800 groupby Qualys_prod.IP, Qualys_prod.signature, Qualys_prod.owner, Qualys_prod.QID, Qualys_prod.CVSS_CUSTOM, Qualys_prod.FIRST_FOUND_DATETIME|search Qualys_prod.STATUS=* NOT Qualys_prod.STATUS=FIXED</P><P>so want to change from Qualys_prod.LAST_FOUND_DATETIME_EPOCH &lt; <SPAN>1600411282</SPAN>&nbsp;to Qualys_prod.LAST_FOUND_DATETIME_EPOCH &lt; epochtime variable but having where clause error. I have defined the variable like</P><P>| eval epochtime=now()</P><P>but didn't help</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 18 Sep 2020 06:45:32 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520249#M146496 saleem_i8 2020-09-18T06:45:32Z https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520260#M146498 <P>what's the error ?</P><P>Tried below and working fine</P><LI-CODE lang="markup">|makeresults count=5|eval epochtime=now()|eval epochtime=epochtime - 10 |where epochtime &lt; now()</LI-CODE> Fri, 18 Sep 2020 07:55:11 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520260#M146498 renjith_nair 2020-09-18T07:55:11Z https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520270#M146502 <P><SPAN>from datamodel=Qualys_prod_ext.Qualys_prod where (nodename = Qualys_prod) Qualys_prod.QID=* Qualys_prod.IP=* Qualys_prod.owner="SRE-DIS-ECO-FEA" Qualys_prod.managed=* Qualys_prod.sev="*" Qualys_prod.LAST_FOUND_DATETIME_EPOCH &lt; now() AND Qualys_prod.LAST_FOUND_DATETIME_EPOCH &gt; 1597759200 groupby Qualys_prod.IP, Qualys_prod.signature, Qualys_prod.owner, Qualys_prod.QID, Qualys_prod.CVSS_CUSTOM, Qualys_prod.FIRST_FOUND_DATETIME|search Qualys_prod.STATUS=* NOT Qualys_prod.STATUS=FIXED</SPAN></P><P><SPAN>When i change the search from&nbsp;Qualys_prod.LAST_FOUND_DATETIME_EPOCH &lt; 1600417128 to Qualys_prod.LAST_FOUND_DATETIME_EPOCH &lt; now() it throws an error</SPAN></P><P><SPAN>Error in 'TsidxStats': WHERE clause is not an exact query</SPAN></P> Fri, 18 Sep 2020 08:24:51 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520270#M146502 saleem_i8 2020-09-18T08:24:51Z https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520537#M146556 <P>Any other suggestion please?</P> Mon, 21 Sep 2020 03:06:26 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-change-the-epoch-value-dynamically-using-variable/m-p/520537#M146556 saleem_i8 2020-09-21T03:06:26Z