I am looking for changing earliest/latest time during search for saved searches. It's working for normal search query but not for savedsearch. Is this expected ?
Is there a way to override time for savedsearch ? For my searchquery I am getting earliest/latest time from another file generated dynamically. so can't use timepicker.
Case 1: Override of earliest/latest time doen't work for saved search.
Case 2 : Override of earliest/latest time works for normal search query.
There is a way to achieve this, but your savedsearch has to cater for it. You can't amend the savedsearch timespan by just putting earliest= latest= in the command properties -- that doesn't work. You have to provide the data as variables to the savedsearch.
Here is a savedsearch I have created called "Makeresults Show Times"
index=_internal earliest=$etime$ latest=$ltime$ | head 1 | addinfo | convert ctime(info_min_time) as earliest_time ctime(info_max_time) as latest_time timeformat="%d/%m/%Y %H:%M:%S" | table earliest_time latest_time
You can then pass the variables etime and ltime to the search to override the time selection, such as:
| savedsearch "Makeresults Show Times" etime=-15m ltime=now
This will then produce the correct data that you are looking for
That said, it will also break the report when it is referenced not using the etime and ltime variables -- so you would have to make a report that would only cater for this singular use case and for no others, which seems like it would introduce duplication of effort.
So it is possible, just not very practical.
A saved search has a defined time window which is configured when you build the original search, this timeframe is used when the search is executed.
You cant pass earliest/latest to the savedsearch command because you are recalling events with a predeterimined window.
Notice that that parameters have not formatted as green when passed to the saved search, but they do for the normal search.
If you are using the saved search to recall a complex search query, consider using a macro instead.