Solved: How to reference the search time range

trunghung · ‎03-17-2016

I have a query to breaks up the search result into multiple time period below

eval Period=if(_time > relative_time(now(),"-2d"),if(_time > relative_time(now(),"-1d"),"day_0_1","day_1_2")

This works if the query latest time is now, but if I select the time range to be 7-10 days ago, how would I reference the start time of the search time range so I can pass it into relative_time? thanks

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

View solution in original post

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

How to reference the search time range

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience

Join the Conversation

How to reference the search time range

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience