I have a search where I have been using "latesttime=-2d@d" to specify the time range, like so:
This works great, but now, however, I wish to change this to an absolute date, not relative to the time the search is made. I understand I could use the following pattern:
But I would really like to avoid explicitly stating an epoch time if I can. Is there a function to eval that I'm missing that allows me to convert a date-string into epoch time that I could use, or is there some other pattern altogether that I should be using?
To expand somewhat on the use case in question:
The search itself needs to contain two different timespans, a search that will use |accum over a large timespan, and then charting all changes to it during another specific timespan. My approach is thus:
... earliest=-6mon latest="$end$" | timechart eval(sum(x)-sum(y)) as x | accum x as total | eval start="$start$" | convert mktime(start) | where _time>=start
Where $end$ and $start$ are supplied by the user in a form search.
The thinking is that we accumulate a starting value for our total-field that reaches far in the past. However, when we want to plot this, we are only interested in what value total had within a certain time window ($start, $end).
I hope that sheds some light on the problem, and as you can see, this current approach includes both the suggestions of gkanapathy and Simeon. It is, however a shame to note, that $end$ and $start$ here require different time formats (one of them needs ":" between YYYY and HH, while the other requires a space)
You would use the convert command with mktime function:
... | convert mktime(your_time_field)
More details here:
The opposite command is the ctime function.
If you can detail your exact data set and use case, the answer will be that much more detailed.
You can simply express a time parameter like this:
to specify an absolute time. Sorry, US date format. If you want a different one, you can do this:
sourcetype=xyz timeformat="%Y-%m-%dT%H:%M:%S" latest="2010-06-15T12:34:56"
timeformat must come before the time in the search string.
NOTE: If you're using the UI, i really recommend sticking with the absolute time functionality in TimeRangePicker > Custom Time. If you use time terms in the searchstring the UI will nag you about it with that little blue bar from now to eternity.