I want to take the earliest and latest _time and assign to some other timestamp column. For example, I have a timestamp column Transaction Date which is NOT _time and I want to use this in the search command to achieve the below
Index = test | where Transaction_date => earliest and Transaction_date <= latest
Can you please help me.
Not sure what is epoch time and why to convert that. I have timestamp like "2016-08-05 12:00:00.0"
Try this
index=test | addinfo | eval Tdate=strptime(Transaction_date,"%Y-%m-%d %H:%M:%S.%1N") | where Tdate >= info_min_time AND Tdate <= info_max_time | ...
Epoch time is the Unix timestamp standard. It's the number of seconds since 1 Jan 1970 (IIRC). Converting dates to epoch (integer) form makes it vastly easier to compare and manipulate them.