https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80919#M20453 <P>Hello,</P> <P>When i trigger a search like:</P> <PRE><CODE>host="win20_oslo-ifs_CC-DC" index="sqlobj" | multikv | eval BusinessEpoch=strptime(BusinessDay,"%m/%d/%Y %I:%M:%S %p") | eval _time=BusinessEpoch | table _time </CODE></PRE> <P>It gives a table of _time field that is converted from BusinessDay, but if i use:</P> <PRE><CODE>host="win20_oslo-ifs_CC-DC" index="sqlobj" | multikv | eval BusinessEpoch=strptime(BusinessDay,"%m/%d/%Y %I:%M:%S %p") | eval _time=BusinessEpoch | search earliest=-1d latest=now | table _time </CODE></PRE> <P>I've got no result , and i tried several times by changing the value of earliest or lastest but couldn't be successful. Can you suggest me what to do ?</P> Tue, 08 Jan 2013 15:25:17 GMT sieutruc 2013-01-08T15:25:17Z https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80919#M20453 <P>Hello,</P> <P>When i trigger a search like:</P> <PRE><CODE>host="win20_oslo-ifs_CC-DC" index="sqlobj" | multikv | eval BusinessEpoch=strptime(BusinessDay,"%m/%d/%Y %I:%M:%S %p") | eval _time=BusinessEpoch | table _time </CODE></PRE> <P>It gives a table of _time field that is converted from BusinessDay, but if i use:</P> <PRE><CODE>host="win20_oslo-ifs_CC-DC" index="sqlobj" | multikv | eval BusinessEpoch=strptime(BusinessDay,"%m/%d/%Y %I:%M:%S %p") | eval _time=BusinessEpoch | search earliest=-1d latest=now | table _time </CODE></PRE> <P>I've got no result , and i tried several times by changing the value of earliest or lastest but couldn't be successful. Can you suggest me what to do ?</P> Tue, 08 Jan 2013 15:25:17 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80919#M20453 sieutruc 2013-01-08T15:25:17Z https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80920#M20454 <P>Did you try without "lastest"? Because that's a typo - it should be "latest"...</P> Tue, 08 Jan 2013 15:38:37 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80920#M20454 Ayn 2013-01-08T15:38:37Z https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80921#M20455 <P>Thanks, yes i did one of both separately, but got no success too</P> Tue, 08 Jan 2013 15:48:00 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80921#M20455 sieutruc 2013-01-08T15:48:00Z https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80922#M20456 <P>The earliest and latest searchterms will only function in the search command when it's the initial search command in the pipeline. This is because those searchterms are really just a shorthand way to submit the "earliest" and "latest" arguments to the Splunk search API, back when the search is being dispatched initially. </P> <P>So to filter by time further down in the search pipeline, I would use the "relative_time" function that's available in the eval and where commands. </P> <P>Specifically : </P> <PRE><CODE>| where _time&gt;=relative_time(now(),"-1h") AND _time&lt;now() </CODE></PRE> Wed, 09 Jan 2013 02:20:55 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80922#M20456 sideview 2013-01-09T02:20:55Z https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80923#M20457 <P>So... side question...</P> <P>Is there any way to "reset" the "search timeframe" so that all the "commands that bin" will honor a new "search timeframe" instead of the timeframe used in the original query?</P> Tue, 27 Jun 2017 18:16:22 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-use-earliest-and-latest-for-time-field-newly-converted/m-p/80923#M20457 vbumgarner 2017-06-27T18:16:22Z