I have created a workflow through the GUI (the corresponding workflow_actions.conf is below).
The intention is to provuide the user with a similar action to "show source" which instead displays the application transaction that the event belongs to.
We have a macro search that can perform this search using two parameters (thread and host). And the workflow action triggers this search correctly.
The problem we have is narrowing the secondary search so only the transaction in question is displayed (at least a few extraneous are shown as possible). If the users original search is over 24 hours and they click on "Show transaction" then they get every transaction for 24 hours that matches the host and thread, which can be a very large number. Specifying a time range in the workflow setup does not work as it is relative to now.
Can we make the time range relative to the event that the workflow is triggered from? Or is there another way we could solve this?
Based on the answer from nick it seems that for now (4.1.3) there is no straight forward way to do this.
The workaround we found was to use nick's suggestion of adding a now= clause to the search string in the workflow action. This would be perfect if the format of the _time field was not being changed somewhere in the workflow action code. Since now can only take epochtime format the change of format (away from epochtime) was breaking the solution.
So the extra trick was to add an additional search command to some of the savedsearches/macros that we commonly use.
| convert mktime(_time) as start_time
The downside is that now the action is only available to events generated by these searches/macros. A limitation we hope can be fixed by some improvments to the workflow actions.