HI Splunker,
I have to run my search 11 times in a day in below mentioned timings one search is capturing data from last 12 hours and rest 10 searches capturing last 1 hours data.
One way of doing this is to clone the search and create two searches with same name.
1)1 Report for first search capturing last 12 hours data.
2)1 Report for last 10 searches capturing last 1 hour data
Is there any way of without changing/cloning the search i can do this ?
XYZ Search
Number Run At Start time End time
1 07:47:00 17:47:00 07:47:00
2 08:47:00 07:47:00 08:47:00
3 09:47:00 08:47:00 09:47:00
4 10:47:00 09:47:00 10:47:00
5 11:47:00 10:47:00 11:47:00
6 12:47:00 11:47:00 12:47:00
7 13:47:00 12:47:00 13:47:00
8 14:47:00 13:47:00 14:47:00
9 15:47:00 14:47:00 15:47:00
10 16:47:00 15:47:00 16:47:00
11 17:47:00 16:47:00 17:47:00
Hi
you could:
schedule your alert to 47 7,8,9,10,11,12,13,14,15,16,17 * * *
set the time period of your search to the last 12 hours
and modify your search in this way
your_search
| eval hour=if(tonumber(strftime(now(),"%H"))=7,(tonumber(strftime(_time,"%H"))-12),(tonumber(strftime(_time,"%H"))-1))
| where date_hour>hour
| ...
In this way if the search is executed at 7, takes events of last 12 hours, if it's executed at a different hour takes events of last hour
Bye.
Giuseppe
For the clone approach, make sure you have the bulk of the search stored in a macro to avoid having code duplication - maintenance nightmare.
Without cloning, you'd have to make the search self-aware and inspect its time range as well as schedule time in order to once a day deviate and also search for an additional 13 hours. That's possible to build using subsearches to generate earliest and latest, but from a maintenance and robustness point of view your two searches might be better.
In a way, you are running two different searches. One looks at an entire off-peak time / night, the other looks at a single hour. Depending on what your searches actually are doing, the two might be very different indeed.
Even better, step back a bit and examine your requirements if there's a different approach. To help here we'd need to know more about that.