Solved: How to add an offset of one month to a date token?

Kavey · ‎04-26-2016

Hi,

I have a form where the user can choose a date which is actually a month of a specific year (MM-YYYY) used as a token for the time modifier "earliest". Then I would like to add an offset of one month to the chosen date for "latest".

I know I could do something like:

mysearch earliest="epochtime_date" | eval latest=earliest+2592000 | ...

However, I would like to have the best performance possible by minimizing as much as I can the time range of my search so I need to have a search more like:

mysearch earliest="epochtime_date" latest="earliest_one_month_offset" | ...

I've been doing research, but I couldn't find anything. Do you think it would possible?

Thank you!

ktugwell_splunk · ‎04-26-2016

Tried using relative_time?

| eval time=relative_time(now(), "+1mon")

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions

That should meet your requirement.

View solution in original post

ktugwell_splunk · ‎04-26-2016

Tried using relative_time?

| eval time=relative_time(now(), "+1mon")

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions

That should meet your requirement.

Kavey · ‎04-27-2016

Thank you not exactly what I want but it is working perfectly.

How to add an offset of one month to a date token?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector