I have a search where I have been using "latesttime=-2d@d" to specify the time range, like so:
... latesttime=-2d@d
This works great, but now, however, I wish to change this to an absolute date, not relative to the time the search is made. I understand I could use the following pattern:
... _time<=123456789
But I would really like to avoid explicitly stating an epoch time if I can. Is there a function to eval that I'm missing that allows me to convert a date-string into epoch time that I could use, or is there some other pattern altogether that I should be using?
To expand somewhat on the use case in question:
The search itself needs to contain two different timespans, a search that will use |accum over a large timespan, and then charting all changes to it during another specific timespan. My approach is thus:
... earliest=-6mon latest="$end$" | timechart eval(sum(x)-sum(y)) as x | accum x as total | eval start="$start$" | convert mktime(start) | where _time>=start
Where $end$ and $start$ are supplied by the user in a form search.
The thinking is that we accumulate a starting value for our total-field that reaches far in the past. However, when we want to plot this, we are only interested in what value total had within a certain time window ($start, $end).
I hope that sheds some light on the problem, and as you can see, this current approach includes both the suggestions of gkanapathy and Simeon. It is, however a shame to note, that $end$ and $start$ here require different time formats (one of them needs ":" between YYYY and HH, while the other requires a space)
... View more
