I've been searching and experimenting for quite a while and I suspect I'm missing something simple....
I have a CSV lookup file with an epoch time field ("timestamp").
In my search string, I use inputlookup and I want to filter it, like this:
...| inputlookup my.csv | where timestamp >= start AND timestamp <= end
but the values I want to use for "start" and "end" I want to be the values that come from the UI in the search App (Last 24 hours, etc.)
I would expect these to translate to some sort of pre-defined variables, but I haven't been able to track them down.
I've also tried:
| inputlookup my.csv | eval _time=timestamp
where I hoped the predefined range would apply, but it didn't filter the lookup at all.
Is there a way I can get the UI generated search range to use in my where clause?
Thanks!
Give this a try
| inputlookup my.csv | where timestamp >= [| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND timestamp <=[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]
Give this a try
| inputlookup my.csv | where timestamp >= [| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND timestamp <=[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]