- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to create a dashboard with the current months' log data report. I could select this (other->month to date) in the timeline while querying, to get the results. But how do I add it to the search as an option , so I can save it in the dashboard. So that users get to see that month's data each time they view the dashboard.
Also When I included the option -30d@mon with the search query (as below), I did not get any results in the table format, even though there is data in the logs. But if I select using time line (without giving the option -30d@mon in the search query), I get the result in the table format.
This is the search query I gave:
source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law" -30d@mon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah, yes, latest is assumed to be NOW, so you need to fix that. for last month, try:
"earliest=1mon@mon latest=0mon@mon"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much ! This worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that answered your question, be sure to accept the best response so others see it and know it worked for you 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah, yes, latest is assumed to be NOW, so you need to fix that. for last month, try:
"earliest=1mon@mon latest=0mon@mon"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks I do see results now. The current months works (earliest=-0mon@mon ). Thanks:) !
But When I give for last month (earliest=-1mon@mon ) I get last months and this months.
16 events over all time (from 12:00:00.000 AM August 1 to 3:56:43.822 PM September 6, 2012)
In the timeline I selected(all time) for both queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for THIS month, try this:
source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped earliest=-0mon@mon | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law"
for LAST month, try this:
source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped earliest=-1mon@mon latest=-0mon@mon | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I give "earliest", I get an error saying "Search operation earliest is unknown. You might not have permission to run this operation"
This is the query :
source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | top limit=10000 Legal_Issue Practice_Area | earliest=-1mon@mon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shouldn't your -30d@mon be: earliest=-0mon@mon ??? (for THIS month -- ie, since Sept 1)
Or earliest=-1mon@mon for LAST month (ie, Aug 1 to Aug 31)
Or am I missing your goal?
oh, related point-- why not put the "earliest=..." in the first search not the last one?
