I have a filter that extracts the date and time just like below.
index=_server _raw="*completed*" | head 1 | eval end_time=strftime(max(_time), "%m/%d/%Y:%H:%M:%S")
But I would like to have another search that uses the date/time I got from the first search to my second search something like the below.
index=_server _raw="*completed*" | head 1 | eval end_time=strftime(max(_time), "%m/%d/%Y:%H:%M:%S") | append [search index=_server | where _time < end_time]
I can't test the following on a Splunk instance right now, but what about the other way around and using subsearches and "latest" instead:
index=_server [ |search index=_server _raw="completed" | head 1 | rename _time as latest | return latest ]
I can't test the following on a Splunk instance right now, but what about the other way around and using subsearches and "latest" instead:
index=_server [ |search index=_server _raw="completed" | head 1 | rename _time as latest | return latest ]
Exactly what I need, 'return' is the key. Cheers!
I think you could use your search that identifies the end_time as in this example http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchTutorial/Useasubsearch