I want to get at the duration of the search timeframe within the search itself. So if I set the search to look at the previous month, I want to know within the search the length of that month (in days, hours, whatever, I can convert if I can get it in some time format). This seems like it should be easy but I can't figure out how to do it, as searching for words like 'time frame' give me a huge amount of results.
Are there some variables of functions that I can use to get this?
Thanks,
Mary
Add " | addinfo
" to your search.
This gives you access to the following fields :
info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search.
Docs here
I believe you are looking for searchEarliestTime and searchLatestTime. This thread describes the process of getting them using the search ID, and a comment describing a solution that might meet your requirements.
Hope that helps.
Update: I think jonuwz's solution is easiest.
Add " | addinfo
" to your search.
This gives you access to the following fields :
info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search.
Docs here
Glad to hear it, auntyem! For future, I don't believe a 'where' command would remove fields. More likely it would be a 'table' or 'fields' command, which limit fields in all events, rather than events themselves, as is the case with 'where'.
That's it! moving hte addinfo did the trick! Probably makes sense as I had a where command a bit earlier in the search but after the add info. Thanks!
It worked for me. If possible, I would place the addinfo right before the eval for total time. Perhaps you are losing those info_ variables before you get to the eval. You could try placing " | addinfo | eval duration = info_max_time - info_min_time | table info_max_time, info_min_time, duration" at the end of any test search to see if it is working for you before you plug it into your actual search.
I tried that earlier (first thing I thought of)...It didn't work?? here's the last part of my search:
|eval total_time=info_max_time-info_min_time|table total_down_time, total_time
my table showed the total_down_time (calced earlier in the search but not the total_time. Am I missing a fatfinger? The addinfo was also earlier in the search.
How about " | eval duration = info_max_time - info_min_time"? That will give you duration in seconds.
Thanks! Now, stupid question, how to I use them to get the duration of the time? Can't seem to figure that out. I think I need to use some conversion functions but havne't quite found the right one.