https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143067#M39730 <P>It appears you also have to catch a value of "now" explicitly, i.e.</P> <PRE><CODE>... | where mydate &lt; case(isnum("$timepicker.latest$"), $timepicker.latest$, $timepicker.latest$="now", now(), 1=1, relative_time(now(), "$timepicker.latest$")) </CODE></PRE> Mon, 18 Jul 2016 08:34:38 GMT jeffland 2016-07-18T08:34:38Z https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143061#M39724 <P>Hello!</P> <P>I want to use my timerange as a filter in a search on a dashboard, like this:<BR /> ..... | where mydate &lt; $timepicker.latest$</P> <P>But i need to conver values like "@d" , "-1h" and so on to epoch. <BR /> And the latest may be already in epoch format. Then I do not need to convert.<BR /> How can I do this?</P> Tue, 15 Jul 2014 15:17:06 GMT https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143061#M39724 0range 2014-07-15T15:17:06Z https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143062#M39725 <P>For this notation you can use the <CODE>relative_time()</CODE> function:</P> <PRE><CODE>... | where mydate &lt; relative_time(now(), "$timepicker.latest$") </CODE></PRE> <P>However, you first need to check whether it's a number or not and only apply this if it isn't:</P> <PRE><CODE>... | where mydate &lt; if(isnum("$timepicker.latest$"), $timepicker.latest$, relative_time(now(), "$timepicker.latest$")) </CODE></PRE> <P>Note, I'm not 100% certain if this catches every case imaginable or not - make sure you test everything your users will need later.</P> Tue, 15 Jul 2014 15:28:12 GMT https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143062#M39725 martin_mueller 2014-07-15T15:28:12Z https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143063#M39726 <P>If the same timepicker is used to define timerange for the search then, this should work.</P> <PRE><CODE>your search ..| where mydate &lt; [|gentimes start=-1 | addinfo | eval search=info_max_time | table search] </CODE></PRE> <P>The 'addinfo' command will create fields info_min_time (based on search's earliest time) and info_max_time (based on search's latest time) which are in epoch already.</P> Mon, 28 Sep 2020 17:04:22 GMT https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143063#M39726 somesoni2 2020-09-28T17:04:22Z https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143064#M39727 <P>No, the timepicker is not the same</P> Tue, 15 Jul 2014 15:40:10 GMT https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143064#M39727 0range 2014-07-15T15:40:10Z https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143065#M39728 <P>seems that @d is not compatible with relative_time function</P> Tue, 15 Jul 2014 15:42:59 GMT https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143065#M39728 0range 2014-07-15T15:42:59Z https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143066#M39729 <P>It is. Run this dummy query to confirm:</P> <PRE><CODE>| stats count as now | eval now = strftime(now(), "%+") | eval at_d = strftime(relative_time(now(), "@d"), "%+") </CODE></PRE> Tue, 15 Jul 2014 15:47:54 GMT https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143066#M39729 martin_mueller 2014-07-15T15:47:54Z https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143067#M39730 <P>It appears you also have to catch a value of "now" explicitly, i.e.</P> <PRE><CODE>... | where mydate &lt; case(isnum("$timepicker.latest$"), $timepicker.latest$, $timepicker.latest$="now", now(), 1=1, relative_time(now(), "$timepicker.latest$")) </CODE></PRE> Mon, 18 Jul 2016 08:34:38 GMT https://community.splunk.com/t5/Splunk-Search/convert-timerange-to-epoch-values/m-p/143067#M39730 jeffland 2016-07-18T08:34:38Z