Reporting
Highlighted

Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Contributor

Hi,

I have several scheduled searches (reports) which are delivered every month in .pdf format via email.
Is there a way to include the time range the searches applied in these results (I mean which data ranges do the searches refer)?

It would be great if these info could be visible in the pdf pages...

Thanks,
Skender

0 Karma
Highlighted

Re: Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Contributor

I edited the email alert of the scheduled search and I noticed an option which is called Trigger Time.
What does it mean? is it the time range the search includes?
Has someone used alert email tokens?

Skender

0 Karma
Highlighted

Re: Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Contributor

What if I inserted the email alert: Time range is: $range$ where range is the token which used from the time range picker input...

Skender

0 Karma
Highlighted

Re: Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Builder
| addinfo | eval start=strftime(info_min_time, "%Y-%m-%d %T") | eval end=strftime(info_max_time, "%Y-%m-%d %T")

Then you could use the tokens $start$ and $end$ in your report

View solution in original post

Highlighted

Re: Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Legend

You can always do this for any report:

yoursearchhere
| yourreporthere
| addinfo 
| eval TimeRange="Time range for report is from " . strftime(info_min_time,"%x %X") . " to " .  
         strftime(info_max_time,"%x %X")

However, it will probably look better if you use some other name in the eval instead of TimeRange. Here is an example

index=web status=404
| stats count by host status
| appendpipe [ addinfo 
| eval host="Time range for report is from " . strftime(info_min_time,"%x %X") . " to " .
         strftime(info_max_time,"%x %X")  ]

This will put the "footnote" about the time range into the host column of the report. You can also play around with sorting, etc. to get the timerange information to the top of the report.

If you are creating a dashboard, you can put the time heading in its own panel at the top of the dashboard. However, you have to run some search before you get the addinfo data. So this would work

index=main | head 1
| addinfo 
| eval 'Start Time'=" strftime(info_min_time,"%x %X") 
| eval 'End Time'= strftime(info_max_time,"%x %X") 
| table "Start Time" "End Time"

Save this as a report and add it to any dashboard - or use it as an inline search in any dashboard.

Highlighted

Re: Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Contributor

Hi,

The aim is to add this info as a title of the email which I receive when the trigger happens...
How to put them as tokens in the email trigger action (like the default search name for example: $name$)?

Thanks,
Skender

0 Karma
Highlighted

Re: Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Contributor

I used the variables in the edit alert, email action:

"The alert condition for "$name$" was triggered.
Results' time range:
$job.earliestTime$ --- $job.latestTime$"

Skender