I have a text date stamp called ACK_Time that I need to validate is between earliest=-1d@d AND latest=-0d@d. I can
... earliest=-1d@d AND latest=-0d@d | convert timeformat "%m/%d/%y %H:%M:%S" mktime(ACK_Time as ack_time| ..
but now I need to recall the values of earliest and latest as epoch so I can:
...| where ealiest<= ack_time AND ack_time<=latest|....
Is there a way to pass the values captured in earliest and latest so they can be reused in a where clause?
Thanks, that is exactly what I needed!
Implementation of solution by @gkanapathy,
earliest=-1d@d AND latest=-0d@d | addinfo | convert timeformat "%m/%d/%y %H:%M:%S" mktime(ACK_Time) as ack_time| where earliest<= info_max_time AND ack_time>=info_min_time |...
Thanks @gfuente for pointing out correction. Updated my answer.
There is one parentheses missing and a typo in the where "earliest"
You can add this information via new fields using the addinfo
search command.