HI,

I would like to know if it's possible in the earliest / latest fields of a search to have something like:

index=myindex earliest="the time this search has started"-X seconds latest="the time this search has started" -Y seconds

Is it possible?

The aim is to run a saved search that populates a summary index, but I need to backfill this index with a search that contains earliest=-20h latest=-10h, but running the search as it is with the fill_summary_index.py command line returns no results because events I need to backfill occurs a long time before -20h (I need to backfill 4 month of datas).

I think I can have an eval statement that would compute what I want, and then just use where, but it would be very inefficient time wise.

Thanks,

EDIT

Thanks to the answers, I found that I can use earliest= [some search | return result] to populate the earliest field to look for data when I want. Problem is that I can't find a way to say:

earliest=["search that returns the starting scheduled time of this saved search"]

The keyword 'now' returns the starting time of the search when put inside the earliest field, but it's not what I want, I would like to have the starting SCHEDULED time, not the actual time I run the search.

I don't know if it's the right way to do it, and if there is another way, I would gladly try it.