Hi,
My inner search returns the date and time (for eg 06-22-2015-23). I want to use this time in my outer search as earliest time = "06-22-2015-23" and latest should be one hour after that(06-23-2015-00) i.e one hour post the earliest time.
earliest time = "06-22-2015-23"
For eg.
"outer search" [search ... | eval MyLatestTime=_time | fields + MyLatestTime | rename MyLatestTime as earliest] latest= earliest+1
Thanks in advance
This should do:
"outer search" [search ... | eval earliest = _time | eval latest = relative_time(_time, "+h") | fields earliest latest | format "" "" "" "" "" ""]
View solution in original post
Yeah, to the very end.
info_min_time is a field added by addinfo, containing the minimum end of the time range set by earliest. http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/addinfo
info_min_time
addinfo
earliest
In order to display the earliest time used in a search you can append this to the end:
... | addinfo | eval fieldname = strftime(info_min_time, "%m-%d-%Y-%H") | fields - info_*
I'm still not clear. how is info_min_time related to earliest time ?
do you mean to append this information at like :
outer search" [search ... | eval earliest = time | eval latest = relative_time(_time, "+h") | fields earliest latest] | addinfo | eval fieldname = strftime(info_min_time, "%m-%d-%Y-%H") | fields - info*
Thanks Martin. I have one more requirement. I want to show the result of inner query i.e (06-22-2015-23) in the results of outer search.
For eg. if my outer search returns A,B,c I want something like A,B,C,06-22-2015-23.
Thanks
