Solved: How to make eval now() takes latest time filter?

jamin358 · ‎05-17-2023

I have a search that makes a decision based on time since an event.

| eval diff = now() - _time

and then make some decision based on how long ago the event took place

| eval state = if(diff<300, "active", "not active")

However, if I want to run this historically, my diffs are set to current time so I can't easily look historically at a point in time and tell the state of the world (with the same search).

Is there a time function in search where I can pull the earliest and latest time filters?

eg

| eval diff = $timerange.latest$ - _time

ITWhisperer · ‎05-17-2023

| addinfo
| eval diff = info_max_time - _time

View solution in original post

ITWhisperer · ‎05-17-2023

| addinfo
| eval diff = info_max_time - _time

How to make eval now() takes latest time filter?

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation