Lguinn
Sorry for the late reply.
I am basically trying to compare data within 2 time stamps, lets say 12/05/2015 to 12/10/2015 with 12/12/2015 to 12/14/2015, assuming our release is on 12/11/2015 night. What we need is the request name that are only found in the latter timeframe. So the normal logic is to get all the request names for former timestamps, get request names for latter timestamps, compare those, remove the ones that are matching with former timestamp, get the new ones (which are not matching) from the latter timestamp.
The search you provided is working up to certain limit but, I am finding following issues
1) What if the user selects a particular time frame or last 15 minutes. In that case, the "After" needs to be populated with AND _time<=relative_tim*e(now(),"now")* or AND _time<=relative_time(now(),"-10m") . The first one here does NOT work but the second one works fine.
2) The relative time field doesn't take EPOCH time -- following does not work
| eval type=case(_time>=relative_time(now(),"1449986400") AND _time<=relative_time(now(),"1450072800"),"Before",
_time>=relative_time(now(),"1450072800") AND _time<=relative_time(now(),"1450159200"),"After",
1==1,"Other")
Here is what I am doing to feed in the relative timestamps but it does not work as expected:
| eval type=case(_time>=relative_time(now(),"$field1.earliest$") AND _time<=relative_time(now(),"$field1.latest$"),"Before",
_time>=relative_time(now(),"$field2.earliest$") AND _time<=relative_time(now(),"$field2.latest$"),"After",
1==1,"Other")
Thanks for your help!
... View more