Hi,
I am trying to filter my search results by specifying earliest and latest time in my search query. The earliest time comes from a token. I want the latest time to be earliest + 1day. $time_token$ has the date which is selected from one of the Dashboard panels.
Please help
source="ClodeRunner10.csv" sourcetype="csv" earliest=$time_token$ latest =$time_token"+1d
| eval WfStart=If(step_info="WORKFLOW START",_time,null())
| eval WfEnd=If(step_info="WORKFLOW END",_time,null())
| sort 0 _time
| streamstats latest(WfStart) as WfStart by workflow_name
| eval WfDuration=round(((WfEnd-WfStart)/60) ,2)
| timechart eval(round(avg(WfDuration),2)) by workflow_name limit=0 useother=false
Thanks,
Sneha
Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.
Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.
latest = $time_token$+86400 worked for me.
Thanks
Glad it worked !!