Hi Splunkers,
when i'm running first Search returns getting zero value where as second Search giving correct value. Explain me how its working,
Search 1:
|stats count | eval next_time=relative_time(now(),"-45y")
Search 2:
|stats count | eval next_time=relative_time(now(),"-45y")| convert ctime(*_time)
This behaviour is because of this issue http://answers.splunk.com/answers/204021/limitation-in-relative-time-function.html
This behaviour is because of this issue http://answers.splunk.com/answers/204021/limitation-in-relative-time-function.html
so see your command eval = next_time relative_time (now (), "- 45y") will provide no results that eventually you converted,
because if you run these commands get the same result
|stats count | eval next_time=relative_time(now(),"-45y")| convert ctime(_time)
or |stats count | convert ctime(_time)
try the following different commands to understand the operation.
|stats count | convert ctime(count)
or
|stats count | convert timeformat="%H:%M:%S" ctime(count)
or
|stats count | eval next_time=count| convert ctime(_time) or |stats count | convert ctime(_time) next_time
In first search its zero as its epoch time (start time) and when you are converting this epoch time in second search then its giving in date format
http://en.wikipedia.org/wiki/Unix_time