Is it possible to merge the results from the last run of the saved search with the newest run? I would like to be able to keep a report of the running average of some different values.
Results after 1st search:
Results of next search:
You can achieve this by using loadjob command. It would require the saved search configuration in two steps.
A) Have your saved search created with the regular command and schedule and let it run for atleast once per schedule (so that you'd have previous run result)
index=_internal | stats count by sourcetype
Runs every minute
B) Once its ran once, add following to the search string to append the result of last run and then summarize again.
index=_internal | stats count by sourcetype ***new stuff starts here(delete this)***| append [| loadjob savedsearch="PutownerName:PutAppName:PutSavedSearchName" ] | stats count by sourcetype
Now the next run will include the results from last run as well.
Remember, it will produce commulative effect.
Like Run 1 Result 1 Run 2 Result 1+2 Run 3 Result 1,2 + 3 ...
I assume that your scheduled saved search is run once a day.
Create a Summary index and index the summarized data at the end of every run. Using this summary index you can generate reports for any time range (Weekly, biweekly, monthly and etc..)
Yeah i understood by taking a close look at the search. I followed your configurations with minor changes. Its working for me. The changes that i made are:
StartTime:-1d # This was default and i left it as-is
FinishTime: # This was blank and i left it as-is
cron: 30 * * * *
Rest all same settings.
Your cron schedule is wrong. 30 * * is not right. If you try to save that it will display an error
Yea, the search does work. the stuff in the [[[ is the configuration I used to setup the alert and summary indexing. I would look at the .conf files, but I don't have access to the servers.
| metasearch earliest=@h-1h latest=@h index=voice
| fields time,host
| bucket _time span=1h
| bucket host
| stats count by _time,host
| eval month=strftime(time, "%m")
| eval day=strftime(time, "%d")
| eval dayOfWeek=strftime(time, "%w")
| eval hour=strftime(time, "%H")
| table host,month,day,dayOfWeek,hour,count
| sort host,hour,day
Alert Config:[[[StartTime:@h-1h, FinishTime:@h, Scheduled:cron[30 * * * *], Severity:info Expiration:24hr Summary Indexing: ENABLED, Summary Index: Summary, Add Fields:report=voiceimport_count]]]
I've scheduled an alert to be summary indexed with my search and it doesn't seem to be running. When I click
View Recent there are no reports stored there. But if I click
Run I can see results. There also doesn't seem to be results in index=summary (The index I used). How can I tell what's going on with the search?