Hi,
We have a chart for which we get only earliest time from other chart. Whatever time we get, i want to make latest as earliest + 1 (1 is 1 day here).
How can we set latest time in search based on earliest time?
I am looking at something like index=IndexA earliest="09/09/2013:00:00:00" latest=earliest+1
Thanks
Strive
There is a subsearch-based way of handling that here -- http://answers.splunk.com/answers/27784/latest-add-1-hour
We are able to do this using sideview utils etime and ltime
Try this approach:
1-. Convert your earliest time to epoch time. Example: Assuming that this is your earliest time format "2013-08-25T18:42Z", you could converted to epoch time as follow in Splunk:
|eval earliest_epoch=strptime(earliest,"%Y-%m-%dT%H:%M")
2) Then, add 86400 seconds to the converted epoch time.
|eval latest=earliest_epoch+86400
There is a subsearch-based way of handling that here -- http://answers.splunk.com/answers/27784/latest-add-1-hour
I saw this link first and since you had mentioned "I hope that someone can provide a more elegant one." i was hoping if someone has already identified an elegant one 🙂 and posted this question. Your solution works perfectly fine. I will use it.
Thanks a lot.