hi
I want to change the source on my request when the timechange.
I'll explain:
I have a lot of directories named by date and I use this as the source.
Example:
index=my_index source="20160513"
When I change the date, I need to change the source value.
So, if the earliest time search equals **20160522**, then my search will be:
index=myindex source="20160522"
My test is:
index=myindex |addinfo | eval time1=strftime(info_min_time, "%Y%m%d") |where source=time1 |table field1 field2 ......
but this doesn't work for me and I don't know how I can do this.
if any body have a solution thx
↧