Solved: How to reference the search time range

trunghung · ‎03-17-2016

I have a query to breaks up the search result into multiple time period below

eval Period=if(_time > relative_time(now(),"-2d"),if(_time > relative_time(now(),"-1d"),"day_0_1","day_1_2")

This works if the query latest time is now, but if I select the time range to be 7-10 days ago, how would I reference the start time of the search time range so I can pass it into relative_time? thanks

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

View solution in original post

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

How to reference the search time range

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation