I have a search query that begins like this:
index=someData earliest=08/06/2015:10:00:00 latest=08/06/2015:21:00:00... rest of search.
I need to set the date of earliest and latest as dates of today and if I've understood it correctly I should be able to convert the now value to epoch time but then I need to use eval and that is not possible(?) within the first search pipe, how should I structure the search so that I can do this effectively?
Edit: I should mention that I cannot use any d@d or similar as I use the search in an overlay comparing results for two days and this will mess up the timeline.
I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html
HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:
earliest=@d+10h latest=@d+17h <rest of search>
The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.
Or other such tomfoolery. Perhaps this is more like what you're trying to do?
Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview
I undestand, a bit difficult to explain, what I basically want to do is to replace
latest with the date of the day that the search is perform, i.e "today" in the format of MM/DD/YYYY:XX:00:00 (where X is a fixed time), sort of like:
index=someData earliest="get.todaysDate":10:00:00 latest="get.todaysDate":21:00:00
The @dwaddle solution applied:
index=someData [noop|stats count|fields|eval earliest=relative_time(now(),"@d+10h")|eval latest=relative_time(now(),"@d+21h")| convert timeformat="%m/%d/%Y:%T" ctime(*)| format "" "" "" "" "" ""] ... rest of search
If we are using macros for earliest and latest, this approach of adding time would not work. We need to create a subsearch.