I want to run a query every 5 minutes starting from today 7 AM to next day 5 AM and so on. Throughout my run earliest time should be 7 AM today and latest can be now.
I tried several combinations but everything messed up when running over the mid noght. after the 12 00 AM the earliest is becoming invalid. All of the below methods taking earliest time as 7 AM till end of the day. when running after the mid night throwing error saying earliest time should not be greater than latest time.
Try 1
| makeresults | eval starttime=strptime(strftime(now(),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+7920
Try 2
earliest=@d+7h
Try 3
| eval now=now()
| eval earliest=relative_time(now, "@d+1d+7h")
| eval earliest=if((earliest<now), earliest, relative_time(now, "@d+7h"))
| eval search = "earliest=" . earliest
| table search]
... View more