I have a dashboard panel where I'm trying to show how many users are experiencing a specific Event for the first time in the last x days. Right now I have the the search syntax set up where it will look at the last x days and will only show users who have NOT experienced that same event in the last 5 months. This works with relative time frames (in last 7 days) but doesn't work with absolute time frames with epoch values (Since 1/20/21 until now). Is there a way to modify the search so that it works with both types of time available from the time picker? Can I set a variable depending on the type of time selected from a time_picker input? For example, can I set a variable where if the input time_picker is "x days ago" it inserts the following into the search: | eval DAYSAGO=relative_time(now(),"-6d@d") but if the input time_picker is "Since 1/27/2021 until now" it inserts this: | eval DAYSAGO=1611705600 index="index_summary"
| stats earliest(EventTime) AS Earliest_TimeStamp, earliest(orig_time) AS Earliest_TimeStampEpoch, count(eval(EventId="148" OR EventId="170")) AS "Device Enrollments" by EnrollmentEmailAddress, DeviceFriendlyName, Platform
| where 'Device Enrollments' < 6
| sort - "Device Enrollments"
| eval DAYSAGO=relative_time(now(),"-6d@d")
| where DAYSAGO < Earliest_TimeStampEpoch
| stats count sum(EnrollmentEmailAddress) as "Users"
... View more