I wrote a macro where ReleaseInterval2013(month) evaluates starttime and endtime based on the month I select. The starttime and endtime are static dates for each month. I want to save myself from replacing the start/endtimes for every search I do with any month I choose.
My implementation does not work: the starttime and endtime are ignored.
This is what my macro definition looks like:
eval starttime=case($month$=="Jan", "12/8/2012:00:00:00", ...) | eval endtime=case($month%="Jan", 01/12/2013:00:00:00", ...)
And my search is like this:
searchterms | eval ReleaseMonth="Jan" | `ReleaseInterval2013(ReleaseMonth)` | stats count by lineOfBusiness
I am guessing it is not possible to set these values with eval because eval is evaluated for each log item and the search cannot respond to value changes after the search has started.
Is this assumption correct? And more importantly, what is the best approach to take in my situation? Times.conf only supports relative times as far as I know.
Thank you!
... View more