Hello Splunk ninjas,
We all know about scheduled reports configured to use a schedule window - when they run delayed, they still gather data for the time range that they would have covered if they started on time.
In short - it will search over the time range it was originally scheduled to cover.
What happens when the search query is using now() function ? Like many of the ESCU correlation searches...
Example: There is a query containing :
| where firstTimeSeen > relative_time(now(),1h)
The report is scheduled every hour (cron = 0 * * * *) using a search time range earliest=now, latest=-70min. Schedule window = auto.
And this is a busy day therefore our query is executed 40 minutes later than scheduled.
As mentioned at the begining, the time range used doesn't change, it's still :00 - :59 (previous hour).
However, the now() has this definition :This function takes no arguments and returns the time that the search was started.
The result set of the report is different now.
Is this behavior flawed by design ? Many of the ES/ESCU correlation searches use this kind of filtering ( based on now()).
How to solve this ?
no schedule window ? no auto ? higher priority ? durable search ? real-time mode instead of continuous ?
Thanks for your educated answers.
