I tried following that website's example and I think I'm close, but my search is not displaying all of the events in the specified time range.
The info_min_time and info_max_time are both being calculated correctly and my where statement should also be fine because the _time has been set to the value of the Date field I need. So all of the values are calculated correctly but for some reason my search is leaving out some of the events in the time range.
base search
| eval CA7_DateTime = CA7_Date + " " + CA7_Time
| eval _time=strptime(CA7_DateTime,"%Y-%m-%d %H:%M")
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| eval CA7_FCOMP=if(CA7_FCOMP="n/a"," ",CA7_FCOMP)
| eval CA7_Abend=if(CA7_Abend="n/a"," ",CA7_Abend)
| table CA7_Number CA7_DateTime CA7_Jobname CA7_Abend CA7_FCOMP CA7_Reason
Searching by All Time displays everything correctly but if I try viewing specific days, events are left out.
... View more