Hi, I think this solution needs one enhancement:
In the case if latest time is now it passes "now" which in relative_time() functions gives empty result so it can be fixed by adding if("$time.latest$"="now", "-0","$time.latest$" ) condition as follows:
index=foo sourcetype=bar earliest=0 | where strptime(abctime, "%Y-%m-%d") >=if(replace("$time.earliest$","\d","")!="",relative_time(now(),"$time.earliest$"),"$time.earliest$") AND strptime(abctime, "%Y-%m-%d") <if(replace("$time.latest$","\d","")!="",relative_time(now(),if("$time.latest$"="now", "-0","$time.latest$" ),"$time.latest$")
... View more