Solved: Set the earliest time for a scheduled search to th...

the0duke0 · ‎03-23-2016

Is it possible to set the earliest time for a scheduled search to be the last time the scheduled search ran? For example I know I can run a search every hour over the last hour (perhaps with some overlap) but if for some reason that search doesn't run for one or more hours the data would be missed. It would be great if there was some way to retrieve the last run time and use it in the earliest statement.

Thanks!

somesoni2 · ‎03-23-2016

Give this a try

index=foo sourcetype=bar latest=@h [ search index=_internal sourcetype=scheduler savedsearch_name="PutYourSavedSearchName" status=success earliest=-6h | stats max(scheduled_time) as earliest ] | rest of the search

Above search will look through last successful execution timestamp of the saved search and use as earliest.

View solution in original post

somesoni2 · ‎03-23-2016

Give this a try

index=foo sourcetype=bar latest=@h [ search index=_internal sourcetype=scheduler savedsearch_name="PutYourSavedSearchName" status=success earliest=-6h | stats max(scheduled_time) as earliest ] | rest of the search

Above search will look through last successful execution timestamp of the saved search and use as earliest.

chinmayc469 · ‎09-11-2018

what will be the earliest time for the first run of the scheduled search?

the0duke0 · ‎03-23-2016

Exactly what I was looking for, thank you!

Set the earliest time for a scheduled search to the last search time

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!