Your query is set up to run the subsearch, and return the Total into the fiedls command of the other search. i.e. it's running
sourcetype="source" "Error Log" | stats min(_time) as MySTime max(_time) as MyETime | Eval MyStartTime = strftime(MySTime, "%Y-%m-%d %H:%M:%S") |EVAL MyEndTime = strftime(MyETime, "%Y-%m-%d %H:%M:%S") | fields MyStartTime, MyEndTime, Total <Result of the Subsearch>
Which is not what you are trying to do. I think you are trying to get a start and end time using this search :
sourcetype="source" "Error Log" | stats min(_time) as MySTime max(_time) as MyETime | Eval MyStartTime = strftime(MySTime, "%Y-%m-%d %H:%M:%S") |EVAL MyEndTime = strftime(MyETime, "%Y-%m-%d %H:%M:%S") | fields MyStartTime, MyEndTime
Then run this search over that timerange:
earliest="6/12/2013:00:00:00" latest="6/12/2013:06:00:00" sourcetype="source-2" ACTION_TYPE=5 | EVAL Amount = (QUANTITY * PRODUCT_PRICE) | stats Sum(Amount) as Total | where strftime(ACTION_TIME, "%Y-%m-%d %H:%M:%S") >= "2013-06-12 00:00:00" |fields + Total
Which you would do like so:
[search sourcetype="source" "Error Log" | stats min(_time) as MySTime max(_time) as MyETime | Eval earliest = strftime(MySTime, "%Y-%m-%d %H:%M:%S") |EVAL latest = strftime(MyETime, "%Y-%m-%d %H:%M:%S") | table earliest latest ] sourcetype="source-2" ACTION_TYPE=5 | EVAL Amount = (QUANTITY * PRODUCT_PRICE) | stats Sum(Amount) as Total | where strftime(ACTION_TIME, "%Y-%m-%d %H:%M:%S") >= "2013-06-12 00:00:00" |fields + Total
Does that work for you?
... View more