I have different case:
| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM
How it's possible ?
With search parameter earliest and latest it's impossible,
index=en_amp_api earliest=@w1 latest=@w2
because the search work only on first case.
I try something this to do earliest and latest as variables:
| makeresults
| eval time = relative_time(now(),"-h@w1")
| eval format = strftime(time, "%m/%d/%Y:%H:%M:%S")
| eval earliest = strptime(format,"%m/%d/%Y")
| eval latest = relative_time(earliest,"+24h@h")
| eval format_earliest = strftime(earliest,"%m/%d/%Y %H:%M:%S")
| eval format_latest = strftime(latest,"%m/%d/%Y %H:%M:%S")
| table format_earliest format_latest
... View more