Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does "all-time" mean two different things in a report vs. a search?

nick405060
Motivator
‎07-20-2020 07:01 PM

Hi,

 

"All-time" in the search interface means "now and in the future". "Since" in the search interface means "since, up until now". I have always just accepted that "since" behaves weirdly in this way

 

Today I discovered that "all-time" to the report scheduler means "up until now". That is, it does not populate `dispatch.latest_time` in `savedsearches.conf`. To me it seems extremely dangerous to have two different meanings of "all time" in the search interface vs. the scheduler, especially because you might have all-time search in the search interface that then doesn't work as a savedsearch

 

What is the logic behind this?

Labels (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-20-2020 11:20 PM

Hi

actually there are two different “all time”. First all time for normal search ( since now) and second one for real time search (to future). Of course the 2nd one needs that you have real time search capability. 
r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...