How are you getting the "earliest" time set?
This is not pretty at all, but does seem to work. I'll be honest, I only marginally understand how it does work.
[ search earliest=-2h@h
| addinfo
| head 1
| eval earliest=info_min_time
| eval latest=info_min_time+3600
| fields earliest,latest
| format "(" "(" "" ")" "OR" ")" ]
the rest of your search
The subsearch (basically, if I understand it right) recomputes earliest
and latest
for the outer search based on the info_min_time
provided by addinfo
in the outer search.
This is quite admittedly an ugly, hackish solution. I hope that someone can provide a more elegant one.
This is so awesome. Worked perfectly.
I tried for a similar problem and it worked!
Great!
Marco
So earliest and latest understand time_t directly? Did not get that from the docs (but did not try it). Sweet!
You don't need the strftime() function, just eval earliest=info_min_time
and eval earliest=info_min_time+3600
will be fine. The format
command is fine, but it would be more generally accurate to use format "(" "(" "" ")" "OR" ")"
instead.
But when i write my searchstring is it possible to write something like index="summary" earliest="07/18/2011:09:00:00" latest=startime+1h ???
you also have the option of "searchtimespanminutes"
I had the same question and searchtimespanminutes worked for me. It's concise and easy to use. I wish this was an answer I could upvote!
Refer to example 2 of chain
under the search option you have earlist and latest time
you can "chain" times
I am not sure how you are specifing your start time, but the end time would be (<starttime>+h)
probably not the answer you are looking for, but I am hoping it is a baby step.
Yeah, but my earliest could be something like earliest="07/18/2011:09:00:00" and then latest should be latest="07/18/2011:10:00:00". But i don´t want latest to be static, i want it to be defined from earliest time. Is that posible? maybe i can use eval or strptime?
Assuming your earliest timeis a relative earliest easiest would be to say something like
earliest=-2h
latest=-1h
That would grab events from 2 hours ago to 1 hour ago.
hope that helps