Overwite earliest/latest time during search for saved search



I am looking for changing earliest/latest time during search for saved searches. It's working for normal search query but not for savedsearch. Is this expected ?

Is there a way to override time for savedsearch ? For my searchquery I am getting earliest/latest time from another file generated dynamically. so can't use timepicker.

Case 1: Override of earliest/latest time doen't work for saved search.
alt text

Case 2 : Override of earliest/latest time works for normal search query.
alt text

0 Karma

Ultra Champion

A saved search has a defined time window which is configured when you build the original search, this timeframe is used when the search is executed.

You cant pass earliest/latest to the savedsearch command because you are recalling events with a predeterimined window.
Notice that that parameters have not formatted as green when passed to the saved search, but they do for the normal search.

If you are using the saved search to recall a complex search query, consider using a macro instead.

If my comment helps, please give it a thumbs up!
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!