Solved: How to change the source value in my search when I...

sfatnass · ‎07-19-2016

hi

I want to change the source on my request when the timechange.

I'll explain:
I have a lot of directories named by date and I use this as the source.

Example:

index=my_index source="20160513"

When I change the date, I need to change the source value.
So, if the earliest time search equals 20160522, then my search will be:

index=myindex source="20160522"

My test is:

index=myindex |addinfo | eval time1=strftime(info_min_time, "%Y%m%d")  |where source=time1 |table field1 field2 ......

but this doesn't work for me and I don't know how I can do this.

if any body have a solution thx

somesoni2 · ‎07-19-2016

Try like this

index=myindex [| gentimes start=-1 | addinfo | eval source=strftime(info_min_time, "%Y%m%d") | table source ] | rest of your search

somesoni2 · ‎07-19-2016

Try like this

index=myindex [| gentimes start=-1 | addinfo | eval source=strftime(info_min_time, "%Y%m%d") | table source ] | rest of your search

sfatnass · ‎07-22-2016

It works very well.
What about if I want to search one day ago?
I tried this, but it does not work:

index=myindex [| gentimes start=-1 | addinfo | eval source=relative_time(strftime(info_min_time,"-1d@d"), "%Y%m%d") | table source ]

How to change the source value in my search when I change the date time range?