Working on development of a form based dashboard where user will enter a date, and I want to fetch 3 weeks data before that date.so what should be the earliest and latest accordingly?
Example: suppose user entered 7/14/2014:00:00:00, data should be fetched for 3-weeks before that date.
You could calculate the earliest_time in an eval-based macro like this:
index=foo sourcetype=bar earliest_time=`three_weeks_before($date$)` latest_time="$date$" | ...
With the macro three_weeks_before(1) defined like this:
relative_time(strptime("$date$", "%m/%d/%Y:%H:%M:%S"), "-3w")
View solution in original post