convert timerange to epoch values

0range · ‎07-15-2014

Hello!

I want to use my timerange as a filter in a search on a dashboard, like this:
..... | where mydate < $timepicker.latest$

But i need to conver values like "@d" , "-1h" and so on to epoch.
And the latest may be already in epoch format. Then I do not need to convert.
How can I do this?

somesoni2 · ‎07-15-2014

If the same timepicker is used to define timerange for the search then, this should work.

your search ..| where mydate < [|gentimes start=-1 | addinfo | eval search=info_max_time | table search]

The 'addinfo' command will create fields info_min_time (based on search's earliest time) and info_max_time (based on search's latest time) which are in epoch already.

0range · ‎07-15-2014

No, the timepicker is not the same

martin_mueller · ‎07-15-2014

For this notation you can use the relative_time() function:

... | where mydate < relative_time(now(), "$timepicker.latest$")

However, you first need to check whether it's a number or not and only apply this if it isn't:

... | where mydate < if(isnum("$timepicker.latest$"), $timepicker.latest$, relative_time(now(), "$timepicker.latest$"))

Note, I'm not 100% certain if this catches every case imaginable or not - make sure you test everything your users will need later.

jeffland · ‎07-18-2016

It appears you also have to catch a value of "now" explicitly, i.e.

... | where mydate < case(isnum("$timepicker.latest$"), $timepicker.latest$, $timepicker.latest$="now", now(), 1=1, relative_time(now(), "$timepicker.latest$"))

martin_mueller · ‎07-15-2014

It is. Run this dummy query to confirm:

| stats count as now | eval now = strftime(now(), "%+") | eval at_d = strftime(relative_time(now(), "@d"), "%+")

0range · ‎07-15-2014

seems that @d is not compatible with relative_time function

convert timerange to epoch values

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms