I have 2 searches that I am appending that looks something like
search1 | append [search search2]
and basically search 1 has data for 6 months e.g. Jan-Jun and search 2 has data for 6 months e.g.Jun-Nov.
Can I control search1 to search for all dates up to June 15th at midnight using latest?
And can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up.
This way my earch would look something like
search1 latest=20140615 | append [search search2 earliest=20140616 ]
NOTE I have asked this Q before but sollution I found then was starttime= 03/16/2015:00:00:00
but that is now deprecated so I am looking for a better solution.
Since you're hardcoding the dates anyways, so I would suggest to provide the epoch equivalent time for latest and earliest, like this
1402894800 - 6/16/2014, 12:00:00 AM GMT-5:00
search1 latest=1402894800| append [search search2 earliest=1402894800 ]
If you still want to use a human readable format, then you can use subsearches like this
search1 [| gentimes start=-1 | eval latest=strptime("20140616","%Y%m%d") | table latest ]
| append [search search2 [| gentimes start=-1 | eval earliest=strptime("20140616","%Y%m%d") | table earliest]]