Thank you. Putting the earliest and latest in the subserch worked
Good, that you solved the issue..
its an interesting issue.. the floor command "was" working fine some years ago and now it seems something wrong.. i tried using eval and floor.. it gives a complaint that right side floor output can not be assigned to left side variable.. use bool command inside the if loop along with floor command. i tried but no luck.
i checked the eval's man page... but no luck. something wrong with eval command.
i tried the subsearch and return logic as well.. but no luck.
ok, its good that u r able to solve this issue now..
also please post your final SPL query also.. for everyone's learning. thanks.
Below is the query one should use:
[| makeresults
| eval earliest=(floor(now()/600))*600-600,
latest=(floor(now()/600))*600
]
| search index=test ....
because the sub search is being executed first the query becomes:
earliest=1234 latest=5678 index=test ...
if one tries to rename earliest or latest with a different names (like my_early_time, my_latest_time) there will be no result as the query will be:
my_early_time=1234 my_latest_time=5678 index=test ...
You can't do it like that. It's not an eval so the expression will be treated literally.
You'd have to use subsearch to create that value dynamically.
Hi @eranhauser ...
Please check this and update us:
|makeresults | eval timeTest=strftime((floor(now()/600))*600,"%Y-%m-%d %H:%M:%S")
| search index=test earliest=timeTest
We think alike. I tried that before and although I got no error I also got no result