Solved: How to reference the search time range

trunghung · ‎03-17-2016

I have a query to breaks up the search result into multiple time period below

eval Period=if(_time > relative_time(now(),"-2d"),if(_time > relative_time(now(),"-1d"),"day_0_1","day_1_2")

This works if the query latest time is now, but if I select the time range to be 7-10 days ago, how would I reference the start time of the search time range so I can pass it into relative_time? thanks

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

View solution in original post

somesoni2 · ‎03-17-2016

Try something like this. The addinfo command adds the current time range into search result, info_min_time=earliest and info_max_time=latest.

your base search | addinfo |eval Period=case(_time > relative_time(info_max_time,"-2d"),"day_1_2", if(_time > relative_time(info_max_time,"-1d"),"day_0_1",1=1,"not set")

How to reference the search time range

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio