topic Re: Is it possible to merge results from last scheduled saved search with the latest run? in Reporting

Is it possible to merge results from last scheduled saved search with the latest run?

steven10172 — Mon, 21 Jul 2014 21:48:24 GMT

Is it possible to merge the results from the last run of the saved search with the newest run? I would like to be able to keep a report of the running average of some different values.

Results after 1st search:
Monday 10000
Tuesday 43000
Wednesday 15000

Results of next search:
Monday 12000
Tuesday 51000
Wednesday 19000

Report shows:
Monday 11000
Tuesday 47000
Wednesday 17000

Re: Is it possible to merge results from last scheduled saved search with the latest run?

strive — Tue, 22 Jul 2014 05:56:23 GMT

I assume that your scheduled saved search is run once a day.

Create a Summary index and index the summarized data at the end of every run. Using this summary index you can generate reports for any time range (Weekly, biweekly, monthly and etc..)

Re: Is it possible to merge results from last scheduled saved search with the latest run?

somesoni2 — Tue, 22 Jul 2014 13:54:24 GMT

You can achieve this by using loadjob command. It would require the saved search configuration in two steps.

A) Have your saved search created with the regular command and schedule and let it run for atleast once per schedule (so that you'd have previous run result)

index=_internal | stats count by sourcetype

Runs every minute

B) Once its ran once, add following to the search string to append the result of last run and then summarize again.

index=_internal | stats count by sourcetype  ***new stuff starts here(delete this)***| append [| loadjob savedsearch="PutownerName:PutAppName:PutSavedSearchName" ] | stats count by sourcetype

Now the next run will include the results from last run as well.

Remember, it will produce commulative effect.

Like
Run 1     Result 1
Run 2     Result 1+2
Run 3     Result 1,2 + 3
...

Re: Is it possible to merge results from last scheduled saved search with the latest run?

steven10172 — Wed, 23 Jul 2014 15:35:49 GMT

I've scheduled an alert to be summary indexed with my search and it doesn't seem to be running. When I click View Recent there are no reports stored there. But if I click Run I can see results. There also doesn't seem to be results in index=summary (The index I used). How can I tell what's going on with the search?

Re: Is it possible to merge results from last scheduled saved search with the latest run?

strive — Wed, 23 Jul 2014 15:44:22 GMT

Can you post your search here. That will help us to see if you have scheduled it properly and also your storage preferences.

Re: Is it possible to merge results from last scheduled saved search with the latest run?

steven10172 — Mon, 28 Sep 2020 17:09:18 GMT

| metasearch earliest=@h-1h latest=@h index=voice
| fields _time,host
| bucket _time span=1h
| bucket host
| stats count by _time,host
| eval month=strftime(_time, "%m")
| eval day=strftime(_time, "%d")
| eval dayOfWeek=strftime(_time, "%w")
| eval hour=strftime(_time, "%H")
| table host,month,day,dayOfWeek,hour,count
| sort host,hour,day
Alert Config:[[[StartTime:@h-1h, FinishTime:@h, Scheduled:cron[30 * * * *], Severity:info Expiration:24hr Summary Indexing: ENABLED, Summary Index: Summary, Add Fields:report=voice_import_count]]]

Re: Is it possible to merge results from last scheduled saved search with the latest run?

steven10172 — Wed, 23 Jul 2014 16:05:50 GMT

If the storage preferences are in a .conf file I do not have access to them

Re: Is it possible to merge results from last scheduled saved search with the latest run?

strive — Wed, 23 Jul 2014 16:24:53 GMT

When i try to execute the search that you have given, it throws search parser error. Are you sure that it runs and giving you results.

Re: Is it possible to merge results from last scheduled saved search with the latest run?

strive — Wed, 23 Jul 2014 16:31:42 GMT

Yes the storage preferences are part of indexes.conf file. Users can overrite the default settings by placing a copy of the file under /local directory

Re: Is it possible to merge results from last scheduled saved search with the latest run?

steven10172 — Wed, 23 Jul 2014 16:38:50 GMT

Yea, the search does work. the stuff in the [[[ is the configuration I used to setup the alert and summary indexing. I would look at the .conf files, but I don't have access to the servers.

Re: Is it possible to merge results from last scheduled saved search with the latest run?

strive — Wed, 23 Jul 2014 17:00:41 GMT

Yeah i understood by taking a close look at the search. I followed your configurations with minor changes. Its working for me. The changes that i made are:
StartTime:-1d # This was default and i left it as-is
FinishTime: # This was blank and i left it as-is
cron: 30 * * * *
Rest all same settings.

Your cron schedule is wrong. 30 * * is not right. If you try to save that it will display an error

Re: Is it possible to merge results from last scheduled saved search with the latest run?

steven10172 — Wed, 23 Jul 2014 18:38:39 GMT

30 <4's> is what I actually have. The comment just truncates the last 2 's

Re: Is it possible to merge results from last scheduled saved search with the latest run?

strive — Wed, 23 Jul 2014 18:45:06 GMT

Ok. I tried with same configurations and it works perfectly fine.. Data gets stored in summary index also.