I want to get at the duration of the search timeframe within the search itself. So if I set the search to look at the previous month, I want to know within the search the length of that month (in days, hours, whatever, I can convert if I can get it in some time format). This seems like it should be easy but I can't figure out how to do it, as searching for words like 'time frame' give me a huge amount of results.
Are there some variables of functions that I can use to get this?
Thanks! Now, stupid question, how to I use them to get the duration of the time? Can't seem to figure that out. I think I need to use some conversion functions but havne't quite found the right one.
I tried that earlier (first thing I thought of)...It didn't work?? here's the last part of my search:
|eval totaltime=infomaxtime-infomintime|table totaldowntime, totaltime
my table showed the totaldowntime (calced earlier in the search but not the total_time. Am I missing a fatfinger? The addinfo was also earlier in the search.
It worked for me. If possible, I would place the addinfo right before the eval for total time. Perhaps you are losing those info_ variables before you get to the eval. You could try placing " | addinfo | eval duration = infomaxtime - infomintime | table infomaxtime, infomintime, duration" at the end of any test search to see if it is working for you before you plug it into your actual search.
That's it! moving hte addinfo did the trick! Probably makes sense as I had a where command a bit earlier in the search but after the add info. Thanks!
Glad to hear it, auntyem! For future, I don't believe a 'where' command would remove fields. More likely it would be a 'table' or 'fields' command, which limit fields in all events, rather than events themselves, as is the case with 'where'.
I believe you are looking for searchEarliestTime and searchLatestTime. This thread describes the process of getting them using the search ID, and a comment describing a solution that might meet your requirements.
Hope that helps.
Update: I think jonuwz's solution is easiest.