https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120805#M32460 <P>It would seem to me you'd need to have a function there which would replace the literal characters "first" with the value. I've not seen this done, but could you do a subsearch in brackets there? i.e. search index=any earliest=[search terms | fields first]</P> Thu, 26 Jun 2014 12:25:12 GMT jeremiahc4 2014-06-26T12:25:12Z https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120803#M32458 <P>Hello,</P> <P>I have a field "first" with a value that looks like "%m/%d/%Y:%H:%M:%S". For Example 06/25/2014:0:0:0.<BR /> Now I would like to use this field value for:</P> <PRE><CODE>search index=any earliest=first... </CODE></PRE> <P>This gives me the exception that the string "first" is invalid for earliest.<BR /> But if I use earliest = "06/25/2014:0:0:0" it works.<BR /> How can i use the field value?<BR /> Greetings </P> Thu, 26 Jun 2014 11:53:59 GMT https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120803#M32458 C_Sparn 2014-06-26T11:53:59Z https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120804#M32459 <P>Where does that field value come from?</P> Thu, 26 Jun 2014 12:01:07 GMT https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120804#M32459 martin_mueller 2014-06-26T12:01:07Z https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120805#M32460 <P>It would seem to me you'd need to have a function there which would replace the literal characters "first" with the value. I've not seen this done, but could you do a subsearch in brackets there? i.e. search index=any earliest=[search terms | fields first]</P> Thu, 26 Jun 2014 12:25:12 GMT https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120805#M32460 jeremiahc4 2014-06-26T12:25:12Z https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120806#M32461 <P>Hello, <BR /> I'm getting the value from a field with multiple date values like this:</P> <P>|stats first(other_field) as first then I go on with<BR /> |join[search... earliest = first]</P> <P>And earliest=[subsearch] is a good idea but is also not working.<BR /> Greetings</P> Thu, 26 Jun 2014 12:49:16 GMT https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120806#M32461 C_Sparn 2014-06-26T12:49:16Z https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120807#M32462 <P>You can pass subsearch results into <CODE>earliest</CODE> and <CODE>latest</CODE> like this:</P> <PRE><CODE>index=_internal [stats count | eval earliest="-h@m" | fields earliest] [stats count | eval latest="now" | fields latest] </CODE></PRE> <P>The two subsearches can be arbitrary searches that somehow compute the timerange.</P> Thu, 26 Jun 2014 13:18:41 GMT https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120807#M32462 martin_mueller 2014-06-26T13:18:41Z https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120808#M32463 <P>Hello,</P> <P>thank you, that is working. But you can also use </P> <P>search...earliest = [search subsearch |return $earliest]</P> <P>if earliest has the right time format.<BR /> Greetings</P> Thu, 26 Jun 2014 14:11:44 GMT https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120808#M32463 C_Sparn 2014-06-26T14:11:44Z https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120809#M32464 <P>Yeah - be wary of using that in dashboards though, you'll have to escape the dollar sign using a second dollar sign.</P> Thu, 26 Jun 2014 15:54:00 GMT https://community.splunk.com/t5/Splunk-Search/Use-field-value-for-earliest-and-latest/m-p/120809#M32464 martin_mueller 2014-06-26T15:54:00Z