I have scenario to pass earliest and latest time in my subsearch until milliseconds. How can we achieve that. where has my main search runs for past 5 days
Hi ankithreddy777,
You can set earliest=-15m and latest =now in sub search by using below subsearch.
[
<<your_search>> earliest=-15m latest=now
]
In your case, as I understand, you have earliest and latest in "Y-m-d H:M:S" format. So here I used return command to convert date in epochtime and take use it in search filter. Then subsearch is :
[
<<your_search>> [ | makeresults | eval earliest=strptime("2017-02-01 00:01:01","%Y-%m-%d %H:%M:%S"),latest=strptime("2017-02-01 00:11:01","%Y-%m-%d %H:%M:%S") | return 1 earliest latest]
]
Please change in strptime format if required.
So can you please try this search.
Thanks
Kamlesh
Hi ankithreddy777,
You can set earliest=-15m and latest =now in sub search by using below subsearch.
[
<<your_search>> earliest=-15m latest=now
]
In your case, as I understand, you have earliest and latest in "Y-m-d H:M:S" format. So here I used return command to convert date in epochtime and take use it in search filter. Then subsearch is :
[
<<your_search>> [ | makeresults | eval earliest=strptime("2017-02-01 00:01:01","%Y-%m-%d %H:%M:%S"),latest=strptime("2017-02-01 00:11:01","%Y-%m-%d %H:%M:%S") | return 1 earliest latest]
]
Please change in strptime format if required.
So can you please try this search.
Thanks
Kamlesh
Hi Kamlesh,
Can we pass the time until milliseconds. My requirement is that I need to pass values until milliseconds. Other wise I would have used epochtime. My earliest and latest times can be in any format. But I need to pass until milliseconds. Ex: 2017-02-01 00:11:01.587 OR 02/01/2017:00:11:01.587.
Hi
Yes .
You can format it using :
| eval earliest=strptime("2017-02-01 00:01:01.587","%Y-%m-%d %H:%M:%S.%3Q")
OR
| eval earliest==strptime("02/01/2017:00:11:01.587","%d/%m/%Y:%H:%M:%S.%3Q")
Please see Date Time format for other date time format. It will help you lot.
Thanks
Kamlesh
thanks a lot
HI,
if your problem is solved, then kindly accept the answer as It would be helpful to the community.
Thanks
Kamlesh