I am trying to add time modifiers to "from" command ,from within the query, with not much of a luck.
An example for the command is:
| from datamodel:"Authentication"."Failed_Authentication" | search dest="Host1" app="win:local"
Can anyone help me figuring this out ?
This answer shows you how to use a macro in the same way that you are using from datamodel which means that you can use earliest and latest in-line in the normal way (UpVotes appreciated):
Thanks for your response.
It is not what i was looking for exactly.
The problem is only with "from" command. tstats command can be used with time modifiers.
Also i have splunk cloud so it is a bit of a problem to add the macros to the file.