In searching, I understand that I can specify the time range using one of the presets (like "Last 4 hours") or set it with SPL (e.g.,
My question is different. Is there a variable that can tell me what the duration of the time range being used is? For example, if I used "Last 4 hours", I would expect this field to tell me 240 minutes, and if I used "Last 60 minutes", I would expect the field is tell me 60 minutes.
Motivation for this question: I would like to compute the aggregate queries per second over some time range, so I could just do
stats count | eval queriesPerSecond=count/durationVar
you could pipe to the addinfo command, which will add fields for info_min_time and info_max_time to your events. And then you could do the math from there. Of course, you'd have to determine how to handle odd scenarios like "All Time"...