Solved: Is it possible to use the "latest" time modifier a...

HeinzWaescher · ‎03-09-2018

Hi,

I would like to use the "latest" time modifier that is defined by the the timerange picker or in my base search as a value for calculations. Is there a field that includes this timestamp and can be used?

Thanks in advance
Heinz

elliotproebstel · ‎03-09-2018

You can get that value by using the addinfo command. Use | addinfo and your events will all have four new fields:

info_min_time: corresponds to the "earliest" time in your timepicker
info_max_time: corresponds to the "latest" time in your timepicker <-- the one you want
info_sid: the ID of the search you ran
info_search_time: the time you ran the search

View solution in original post

elliotproebstel · ‎03-09-2018

You can get that value by using the addinfo command. Use | addinfo and your events will all have four new fields:

info_min_time: corresponds to the "earliest" time in your timepicker
info_max_time: corresponds to the "latest" time in your timepicker <-- the one you want
info_sid: the ID of the search you ran
info_search_time: the time you ran the search

HeinzWaescher · ‎03-12-2018

this works fine, thanks 🙂

gcusello · ‎03-09-2018

Hi HeinzWaescher,
you can use it in dashboard panels as token: e.g. if your time picher token is called "Time", you have $Time.latest$
Bye.
Giuseppe

Is it possible to use the "latest" time modifier as a field for calculations?

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)