I have a search query that begins like this:
index=someData earliest=08/06/2015:10:00:00 latest=08/06/2015:21:00:00... rest of search.
I need to set the date of earliest and latest as dates of today and if I've understood it correctly I should be able to convert the now value to epoch time but then I need to use eval and that is not possible(?) within the first search pipe, how should I structure the search so that I can do this effectively?
Edit: I should mention that I cannot use any d@d or similar as I use the search in an overlay comparing results for two days and this will mess up the timeline.
I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html
HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:
earliest=@d+10h latest=@d+17h <rest of search>
The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.
earliest=-1d@d+10h+32m latest=@d-15h+30m
Or other such tomfoolery. Perhaps this is more like what you're trying to do?
Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview
I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html
HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:
earliest=@d+10h latest=@d+17h <rest of search>
The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.
earliest=-1d@d+10h+32m latest=@d-15h+30m
Or other such tomfoolery. Perhaps this is more like what you're trying to do?
Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview
If we are using macros for earliest and latest, this approach of adding time would not work. We need to create a subsearch.
The @dwaddle solution applied:
index=someData [noop|stats count|fields|eval earliest=relative_time(now(),"@d+10h")|eval latest=relative_time(now(),"@d+21h")| convert timeformat="%m/%d/%Y:%T" ctime(*)| format "" "" "" "" "" ""] ... rest of search
Thank you both, this worked perfectly.
I undestand, a bit difficult to explain, what I basically want to do is to replace earliest
and latest
with the date of the day that the search is perform, i.e "today" in the format of MM/DD/YYYY:XX:00:00 (where X is a fixed time), sort of like:
index=someData earliest="get.todaysDate":10:00:00 latest="get.todaysDate":21:00:00
OH! Well that is perhaps even easier! Let me update the answer with the "right way" 🙂