Why does "all-time" mean two different things in a...

nick405060 · ‎07-20-2020

Hi,

"All-time" in the search interface means "now and in the future". "Since" in the search interface means "since, up until now". I have always just accepted that "since" behaves weirdly in this way

Today I discovered that "all-time" to the report scheduler means "up until now". That is, it does not populate `dispatch.latest_time` in `savedsearches.conf`. To me it seems extremely dangerous to have two different meanings of "all time" in the search interface vs. the scheduler, especially because you might have all-time search in the search interface that then doesn't work as a savedsearch

What is the logic behind this?

isoutamo · ‎07-20-2020

Hi

actually there are two different “all time”. First all time for normal search ( since now) and second one for real time search (to future). Of course the 2nd one needs that you have real time search capability.
r. Ismo

Why does "all-time" mean two different things in a report vs. a search?

saved search

scheduled search

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?