Assuming your earliest timeis a relative earliest easiest would be to say something like
That would grab events from 2 hours ago to 1 hour ago.
hope that helps
Yeah, but my earliest could be something like earliest="07/18/2011:09:00:00" and then latest should be latest="07/18/2011:10:00:00". But i don´t want latest to be static, i want it to be defined from earliest time. Is that posible? maybe i can use eval or strptime?
This is not pretty at all, but does seem to work. I'll be honest, I only marginally understand how it does work.
[ search earliest=-2h@h | addinfo | head 1 | eval earliest=info_min_time | eval latest=info_min_time+3600 | fields earliest,latest | format "(" "(" "" ")" "OR" ")" ] the rest of your search
The subsearch (basically, if I understand it right) recomputes
latest for the outer search based on the
info_min_time provided by
addinfo in the outer search.
This is quite admittedly an ugly, hackish solution. I hope that someone can provide a more elegant one.
You don't need the strftime() function, just
eval earliest=info_min_time and
eval earliest=info_min_time+3600 will be fine. The
format command is fine, but it would be more generally accurate to use
format "(" "(" "" ")" "OR" ")" instead.