Solved: How to reference the search time range

trunghung · ‎03-17-2016

I have a query to breaks up the search result into multiple time period below

eval Period=if(_time > relative_time(now(),"-2d"),if(_time > relative_time(now(),"-1d"),"day_0_1","day_1_2")

This works if the query latest time is now, but if I select the time range to be 7-10 days ago, how would I reference the start time of the search time range so I can pass it into relative_time? thanks

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

View solution in original post

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

How to reference the search time range

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation