@renjith.nair
For some reason i couldn't comment to you in your answer.

This eval is part of the correlation search - "Endpoint - Anomalous New Processes" :

|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"),  match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"),  true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"),  match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"),  true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculates a time value of the last 24 hours depending on how the source time is represented.
I just didn't understand how the -24h@h knows which time source to refer.

I appreciate your help!!

@astatrial ,
If its part of Enterprise Security, it might be part of the macros. localprocesses_tracker has mainly information about the process history (dest,firstime,lasttime,process) . So most probably whatever you are seeing is an expanded search with values substituted.

you are right.
It is not the complete eval expression.
The complete eval expression is :

| eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time())

I just didn't want to confuse you with non relevant info.

The second clause in your answer is exactly my question - This expression isn't relative to any time, so how it is getting its value ?

@astatrial ,
In a plain text search , it does not make much sense. However , I strongly believe that its part of a dashboard with a time input in it. In that case, -24h@h is not a string value in the search but a token in the form $some_token$ which carries value from the time input and this eval statement tries to find out what the user has opted from the time input

This eval is part of the "Endpoint - Anomalous New Processes" correlation search. There is no use of token in it.

|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"), match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"), true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculate a time value of the last 24 hours in specific pattern depending on how the time is represented (i.e in the time picker). But i didn't understand how the expression -24h@h knows to get this value.
Is it some kind of known phrase in splunk?

I really appreciate your help ! |

This code indeed looks familiar for a dashboard I've worked on once. I used eval in the change event of a time input in a case where I always needed an epoch value from the input, regardless of the actual selection (a time picker will return something like -1w for earliest if you select last week). It looked something like

<change>
  <eval token="time_earliest_alwaysepoch">case(match($value$, "^\d+"), $value$, match($value$, "[+-]\d+@?"), relative_time(now(), $value$)</eval>
</change>

This was to make sure I always had an epoch value in that token, and it led me to this discussion. I doubt your code makes sense, as @renjith.nair already pointed out in his comment.

In normal cases like where you mention earliest=-24h@h, in that case it the time range will go back to last 24 hours and snap the hour field.