This is not pretty at all, but does seem to work. I'll be honest, I only marginally understand how it does work.
[ search earliest=-2h@h | addinfo | head 1 | eval earliest=info_min_time | eval latest=info_min_time+3600 | fields earliest,latest | format "(" "(" "" ")" "OR" ")" ] the rest of your search
The subsearch (basically, if I understand it right) recomputes
latest for the outer search based on the
info_min_time provided by
addinfo in the outer search.
This is quite admittedly an ugly, hackish solution. I hope that someone can provide a more elegant one.
You don't need the strftime() function, just
eval earliest=info_min_time and
eval earliest=info_min_time+3600 will be fine. The
format command is fine, but it would be more generally accurate to use
format "(" "(" "" ")" "OR" ")" instead.
Yeah, but my earliest could be something like earliest="07/18/2011:09:00:00" and then latest should be latest="07/18/2011:10:00:00". But i don´t want latest to be static, i want it to be defined from earliest time. Is that posible? maybe i can use eval or strptime?