I have a search that needs to either snap to 7am ( -7h@d+7h
) or 7pm ( -7h@d+19h
) depending on whether the time of search ( now()
) is between 7am-7pm or 7pm-7am. For example, if it is 8:30am, I need to see my search using earliest=-7h@d+7h
, but if it is 21:15, I need see my search using earliest=-7h@d+19h
.
I tried the following if statement, but it doesn't work.
earliest=if(now()>="-7h@d+7h" AND now()<"-7h@d+19h", "-7h@d+7h", "-7h@d+19h")
This is for an embedded report, so I wasn't thinking I could use any XML or tokens.
Thanks!
Like this:
| makeresults
| eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest Your Search Here"
Like this:
| makeresults
| eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest Your Search Here"
Some minor typos, but otherwise this works. Thank you!
| makeresults
| eval earliest=if(now()>=relative_time(now(),"-7h@d+7h") AND now()<relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest$ Your Search Here"
Bonus question - how do I escape quotes without using XML (this code is going in a macro)?
My map search
pipe needs to look like this:
| map search = "search earliest=$earliest$ index=my_index Process="Thing & Thing" Parameter=my_parameter"
I've determined that the quotes around "Thing & Thing"
are messing up the search string.
My workaround is to add another line below map search
with
| search Process="Thing & Thing"
but this seems really kludgy.
You can escape by using ... \"Thing & Thing\" ...
To handle that in search itself, you need to override earliest using subsearch, like this
your base search [| gentimes start=-1 | eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h") | table earliest ] ...| rest of the search
I've used the relative time modifier from your question, so check if that's giving you correct values.