| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")
| replace "rt*" with * in created_upper_token
| replace "rt*" with * in created_lower_token
| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token))
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))
| where order_date >= created_lower_bound AND order_date <= created_upper_bound|
I've added comments to your query to help understand each line.
| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
`comment("This is setting created_upper_token to @s indicating last second if the value of $time_token.latest$ is now. If not use the same value as $time_token.latest$")`
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")
`comment("This is setting created_lower_token to 0 indicating 'All Time' if the value of $time_token.earliest$ is blank. If not use the same value as $time_token.latest$")`
| replace "rt*" with in created_upper_token
`comment("Replacing anything with rt* with some value in created_upper_token. Your formatting has removed some text, so not sure what the replacement value is")`
| replace "rt" with * in created_lower_token
`comment("Replacing anything with rt with * in created_lower_token. Your formatting may have removed some text, so not sure if the replacement value is *")`
| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token))
`comment("Convert to absolute epoch time if the value is time specifier")`
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))
`comment("Convert to absolute epoch time if the value is time specifier")`
| where order_date >= created_lower_bound AND order_date <= created_upper_bound
`comment("Filter")`
This basically looks like getting the time_token from a time input in a dashboard. The code is basically converting the values selected by the uses in the dashboard to epoch times so that it can be used in the filter. This is done to accommodate filters such as "Last 7 days" or "Month to Date" etc.
The intention is to filter the results based on order_time instead of _time
Let's break it down line by line:
| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")
Those 2 lines capture the value of theTime picker
.
| replace "rt*" with * in created_upper_token
| replace "rt*" with * in created_lower_token
Those 2 lines convert from realtime
to NOT realtime
.
| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token))
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))
If the values in the Time picker
were integers, then use them. If they were relative time modifiers
, then convert them to integers
| where order_date >= created_lower_bound AND order_date <= created_upper_bound|
That line filters the results set to those events between the Time picker
bounds.
I've added comments to your query to help understand each line.
| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
`comment("This is setting created_upper_token to @s indicating last second if the value of $time_token.latest$ is now. If not use the same value as $time_token.latest$")`
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")
`comment("This is setting created_lower_token to 0 indicating 'All Time' if the value of $time_token.earliest$ is blank. If not use the same value as $time_token.latest$")`
| replace "rt*" with in created_upper_token
`comment("Replacing anything with rt* with some value in created_upper_token. Your formatting has removed some text, so not sure what the replacement value is")`
| replace "rt" with * in created_lower_token
`comment("Replacing anything with rt with * in created_lower_token. Your formatting may have removed some text, so not sure if the replacement value is *")`
| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token))
`comment("Convert to absolute epoch time if the value is time specifier")`
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))
`comment("Convert to absolute epoch time if the value is time specifier")`
| where order_date >= created_lower_bound AND order_date <= created_upper_bound
`comment("Filter")`
This basically looks like getting the time_token from a time input in a dashboard. The code is basically converting the values selected by the uses in the dashboard to epoch times so that it can be used in the filter. This is done to accommodate filters such as "Last 7 days" or "Month to Date" etc.
The intention is to filter the results based on order_time instead of _time
Hi arjun ,
thanks a lot for the explanation.
Can you please help me explaining the below code too :
| eval e="$time_token.earliest$", l="$time_token.latest$"| eval e=case(match(e,"^\d+$"),e,e="" OR e="now" , "0" , true(), relative_time(now(),e)) | eval l=case(match(l,"^\d+$"),l,l="" OR l="now" , "2145916800", true(), relative_time(now(),l))| eval e=tonumber(e) , l=tonumber(l) | where order_date >= e AND order_date <= l