Hello,
Does anyone know if there is a way to add an earliest and latest with the pivot command?
Adding earliest or earliest_time doesn't not work.
Just to clarify, I don't want to use the timepicker here, I want to write a pivot command command in the same way I would write: "index=_internal earliest=-15m latest=now"
Regards,
Olivier
 
		
		
		
		
		
	
			
		
		
			
					
		Use _time > 1234567890 or whatever as part of your filter. Or better and more efficient, don't use pivot. Use tstats and the where clause of tstats
Indeed, there was a reason why I wanted to use pivot and it is take advantage of the acceleration of the data model, so indeed the second position isn't a possibility for me. About the first one, it will be quite tricky to achieve it also because there is lots of subsearches and "join type=left". But thank you for the tips.
 
		
		
		
		
		
	
			
		
		
			
					
		Use _time > 1234567890 or whatever as part of your filter. Or better and more efficient, don't use pivot. Use tstats and the where clause of tstats
@gkanapathy, I managed to make it work with tstats. Thx a lot.
Hey gkanapathy! Thank you for the answer. How would you use the _time in the pivot and tstats commands?
I tried the "| pivot ... FILTER _time>1407684453" but no luck. This sounds promising. I start to understand why you say to not use pivot, btw, it takes ages to initialise.
@Martin, nice one, didn't know you could do that with macros 🙂
 
		
		
		
		
		
	
			
		
		
			
					
		Yeah, but probably not directly. You can however define an eval-based macro that does little more than call relative_time().
[relative_time(1)]
args = relative
definition = relative_time(time(), "$relative$")
iseval = 1
This is evaluated before the actual search starts.
Nice idea, but you cannot use the "greater than" operator with pivot command filters, e.g. this does not work:
| pivot
...
filter _time > `relative_time("-5m")`
Or did you have something else in mind?
 
					
				
		
Is it possible to use the eval function relative_time()?
 
		
		
		
		
		
	
			
		
		
			
					
		I see. Assuming my feeling is correct and there is currently no way to specify the time range for a pivot command inline, I see two ways around this. First, it might be possible to build your search using only one larger pivot - that depends on what you're doing. Second, since you apparently already are writing searches manually rather than using the Pivot UI, you could consider falling back to regular search language.
Personally I'd explore the first option, since there probably is a good reason you're using pivot manually rather than traditional search language.
Hi Martin, thank you for replying. I'm trying to do subsearches with pivot using different time ranges
 
		
		
		
		
		
	
			
		
		
			
					
		I don't think so. What are you trying to achieve here?
