I am sending a POST call to the REST endpoint search/jobs
with following parameters:
'output_mode': 'json',
'earliest_time': '-7d',
'latest_time': '-1d',
'exec_mode': 'oneshot',
'search': 'search index=ind status=FAIL | table error, sim_time'
If, instead of above, I send:
'output_mode': 'json',
'exec_mode': 'oneshot',
'search': 'search index=ind earliest=-7d@d latest=-1d@d status=FAIL | table error, sim_time'
Is there a difference? In terms of performance, load on server, correctness etc.
Aside from the fact that you're snapping to the day in one search and not the other, there should be no difference in performance.
Aside from the fact that you're snapping to the day in one search and not the other, there should be no difference in performance.
Sorry, I missed the @d in one search! Both searches are supposed to be the same. No difference sounds great!
You can always test both 10-20 times and avaerage the results. The _internal index has data related to how long the searches took.