How do I run loadjob to get the second to last resultset? By default it gives the last resultset.
if your saved search is named foo you can us this command:
| loadjob [
search index=_audit savedsearch_name="foo" search_id='scheduler_*'
| sort - _time | head 2 | tail 1
| rename search_id AS search
| eval search=replace(search, "\'","") ]
What happens here? The sub search will search for the search_id of your saved searches, the sort and head and tail will get back the second last result and the rename and eval will return the values in a useable format for loadjob
Hope this helps ...
View solution in original post
easiest way to get the second last result-set should be, below is the default syntax for load job.
| loadjob (sid | savedsearch) [result-event] [delegate] [artifactoffset] [ignorerunning]
Selects a search artifact other than the most recent matching one. For example, if artifactoffset=1, the second most recent artifact will be used. If artifactoffset=2, the third most recent artifact will be used.