I would like to include an evaluated field to the events returned in the search containing the number of business days between the timestamp of the event and the end of the event month. I have a subsear returning the number of business days untill the end of the month:
eval TtoEOM=[search * Earliest=$eventtime$ latest=+1month@month | timechart count by host span=1d | appendpipe [|stats count |addinfo | eval temp=info_min_time."##".info_max_time | makemv temp delim="##" | mvexpand temp | eval count=0 | eval _time=temp | table _time count] | timechart span=1d sum(count) as count | fillnull | eval dayname = strftime(_time, "%a") | eval target = strftime(_time, "%d%m%y") |search dayname!=Sat dayname!=Sun | stats count as ret | return $ret]
However, I'm unble to get the event time into the Earliest parameter of the subsearch.
Thank you!
↧