Hey All,
Sorry if this is a duplicate, or already been answered, but I've tried numerous ideas from posts, and the documentation, but haven't managed to get something to work, and was hoping someone may have a suggestion.
I'm trying to do a search for all domains, for "All Time", but limit the results that are returned to those with a first seen date of yesterday or today.
This works:
sourcetype=blah... domain=* | eval time=strftime(_time, "%m/%d/%y") | eval yest=strftime(relative_time(time(), "-1d"), "%m%d%y") | stats earliest(time) as start, latest(time) as stop by domain | where start > "10/18/17"
But when I try to use yest as the variable instead of a hard-coded (yesterday's) date, it fails. I've printed out all of the fields in table format, and it doesn't appear that yest is getting populated (though the query works fine when run alone). I've also tried macros, but haven't had much luck with that either. Any thoughts, or suggestions would be greatly appreciated.
Thanks!
↧