For example I have this query:
index=en_amp_api
[ | makeresults
| eval time = relative_time(now(),"-h@w1")
| eval format = strftime(time, "%m/%d/%Y:%H:%M:%S")
| eval earliest=strptime(format,"%m/%d/%Y")
| eval latest=relative_time(earliest,"+24h@h")
| table earliest latest ]
| table earliest, latest
| ....
I see values of earliest and latest with table only [ ... ], but I can not see values after closing brackets !
I wont to see the value after closing brackets ! How is that possible?
As per my understanding, u want to generate earliest and latest epochs from makeresult query and want to pass it to your index query.
Please try this code:
| makeresults
| eval time = relative_time(now(),"-h@w1")
| eval format = strftime(time, "%m/%d/%Y:%H:%M:%S")
| eval earliest=strptime(format,"%m/%d/%Y")
| eval latest=relative_time(earliest,"+24h@h") | table earliest latest
| map maxsearches=1000 search="search index=en_amp_api earliest=$earliest$ latest=$latest$ | table <list of fields> "
Let me know if it work.
Unfortunately, the proposed solution does not work
What is the error you are getting? Please provide some screenshot.
I have different case:
| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM
How it's possible ?
With search parameter earliest and latest it's impossible,
index=en_amp_api earliest=@w1 latest=@w2
because the search work only on first case.
I try something this to do earliest and latest as variables:
| makeresults
| eval time = relative_time(now(),"-h@w1")
| eval format = strftime(time, "%m/%d/%Y:%H:%M:%S")
| eval earliest = strptime(format,"%m/%d/%Y")
| eval latest = relative_time(earliest,"+24h@h")
| eval format_earliest = strftime(earliest,"%m/%d/%Y %H:%M:%S")
| eval format_latest = strftime(latest,"%m/%d/%Y %H:%M:%S")
| table format_earliest format_latest
Unfortunately, the proposed solution does not work ...
I have different case:
| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM
How it's possible ?
I have different case:
| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM
How it's possible ?
With search parameter earliest and latest it's impossible,
index=en_amp_api earliest=@w1 latest=@w2
because the search work only on first case.
That's why I try something this to do earliest and latest as variables.
To answer your question, see here:
https://answers.splunk.com/answers/689333/earliest-is-the-maxtimestamp-from-an-inputlookup.html
But that is overkill, just do this:
index=en_amp_api earliest=-h@w1 latest=-h@w1+24h@h
I need to change values: earliest and latest in different cases, so I can not set the search parameters after the index .
I need to change by setting the higher or lower value, search for different cases runs at the time indicated by earliest and latest.
Give us TWO FULL examples of what you are trying to do starting with the raw event data and ending with a mockup of the final results, with detailed pseudocode descriptions of the steps required. I have no idea what you mean by this comment. It very much seems like you are going about this completely the wrong way.
What is it with pictures lately? I wish answers would disable that. We need your raw text so that we can work with it.
Sorry, I understand
I will make changes !
@malear_ion Do you have any earliest and latest field in your index en_amp_api ?
No, is a replacement of search parameters
For example :
index=en_amp_api earliest=@w1 latest=@w2 | table hostname, last_seen
It's the same !