Hi!
I'm trying to set the earliest and latest for a sub-search using a variable from the main search. The code below shows what I am trying to accomplish.
sourcetype=log1 Id=1116061 | stats earliest(_time) AS earliest, latest(_time) AS latest | fieldformat earliest= strftime(earliest, "%m/%d/%Y:%H:%M:%S") | fieldformat latest= strftime(latest, "%m/%d/%Y:%H:%M:%S") | search [index=log2 earliest=earliest latest=latest | stats avg(transcode_ratio) as Ratio]
The main search is giving me the correct value and format (08/30/2016:14:23:31) for the sub search to work. I'm just unable to use a variable as the value. I'm not sure what approach I should take as I have very little experience with splunk and couldn't find an example online that fits.
Many Thanks.
... View more