I need to eval time in hours between now and earliest time from timepicker to use it in search. e.g. if timepicker set to “last 24 hours” - evaluated time should be 24h, for “last 2 days” - 48h, etc. Thank you!
Like this:
... | addinfo | eval hours_between_now_and_earliest = round(((now() - info_min_time) / 60 / 60), 2) | fields - info_*
Thanks! Can you explain what this part is doing "| fields - info_*"?
There was a typo; I was using earliest when I should have been using info_min_time. I edited my answer and fixed it.
earliest
info_min_time
It is getting rid of the info_* fields that were added by the call to addinfo.
info_*
addinfo
@kimberlytrayson
You can try addinfo command.
info_min_time = The earliest time boundary for the search. info_max_time = The latest time boundary for the search.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo
Sorry, it will be epoch time, right?
Yes, @kimberlytrayson,
Please check below link for time picker label.
https://answers.splunk.com/answers/633356/whats-the-token-name-for-the-time-pickers-display.html
https://answers.splunk.com/answers/682095/how-to-display-the-label-from-the-time-field-token.html
https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
