eval test_time = time() - _time | search (test_time > 1800 AND test_time < 86400)|
I'm trying to see if the events in my logs(when i run query should be more than 30 mins & less than 24 hrs old) from the time they logged?
is the condition right?
gpradeepkumarreddy's answer is probably the most useful way to do that.
If you wanted to do it in code, your code is close to correct as far as it goes, since epoch time is calculated in seconds. However, you probably want to use the now() function rather than time(), since it will give a single result for the entire search, as opposed to being calculated at a different microsecond for each event.
You can use the time picker or mention earliest and latest as below in your search
earliest=-24h latest=-30m