Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does "all-time" mean two different things in a report vs. a search?

nick405060
Motivator
‎07-20-2020 07:01 PM

Hi,

 

"All-time" in the search interface means "now and in the future". "Since" in the search interface means "since, up until now". I have always just accepted that "since" behaves weirdly in this way

 

Today I discovered that "all-time" to the report scheduler means "up until now". That is, it does not populate `dispatch.latest_time` in `savedsearches.conf`. To me it seems extremely dangerous to have two different meanings of "all time" in the search interface vs. the scheduler, especially because you might have all-time search in the search interface that then doesn't work as a savedsearch

 

What is the logic behind this?

Labels (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-20-2020 11:20 PM

Hi

actually there are two different “all time”. First all time for normal search ( since now) and second one for real time search (to future). Of course the 2nd one needs that you have real time search capability. 
r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...