The following works for e.g. last week, last month, etc., but doesn't work where $TIMERANGE.latest$ is set by the picker to "now", or to a specific datetime value.
eval latest_EPOCH=relative_time(now(),"$TIMERANGE.latest$")
I've tried doing
eval temp=if("$TIMERANGE.latest$"=="now","-0m","$TIMERANGE.latest$") | eval latest_EPOCH=relative_time(now(),temp)
and that fixes "now" but not specific date ranges.
Hi Nick,
Here is one way to do it:
earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)
latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)
Good luck
If you're inside a dashboard, this is much much faster:
<input type="time" token="time">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<eval token="earliest_epoch">case(isnum($earliest$), $earliest$, $earliest$=="now", time(), $earliest$="", 0, true(), relative_time(time(), $earliest$))</eval>
<eval token="latest_epoch">case(isnum($latest$), $latest$, $latest$=="now", time(), true(), relative_time(time(), $latest$))</eval>
</change>
</input>
Hi Nick,
Here is one way to do it:
earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)
latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)
Good luck
ty again! posted here on SA as well in case it helps anyone else out.
OK A better solution thanks to @micahkemp would be to do this :
your_search | addinfo | eval latest_EPOCH = info_max_time
(or use rename)
for that solution (the better solution) make sure you also have
<earliest>$TIMERANGE.earliest$</earliest>
<latest>$TIMERANGE.latest$</latest>
after the query stanza otherwise addinfo doesn't know where to get earliest and latest from; it will just default to be all-time
So the solution posted here by @micahkemp does NOT work if you are using a post-process search, since the earliest and latest stanzas have to be identical to the base search. However the answers provided by @martin_mueller and @chrisyoungerjds will work