I have report scheduled to run 0 minutes past every hour to generate the tabular results for last 60 minutes and send the email including the link to results.
report has successfully sent the email (at 00:00,01:00,........,10:00, 11:00, 12:00.....23:00)
If i access the link to results at 12:10 in the email that was generated at 10:00, i am able to see the latest results only (i.e., results generated at 12:00, even though i am clicking on the previous link).
Can anyone please help me how can i check the results that are generated at that particular time range by clicking the link in respective email.
@to4kawa As i mentioned it is scheduled report, my issue is not with the alert.
In splunk 6.6.3 v i cannot find Add to triggered alerts.
can we check the past results for scheduled report mail, as we are able to do so in alert mail.
I think that by default splunk only keeps the last 2 scheduled executions of any saved search.
See this link for how to adjust it:
This is especially easy if you have the SID (and it hasn't expired).
Simply use loadjob and pass in the SID:
You can also load results using the saved search name:
You can also add in "artifact_offset" when using saved search name, which allows you to go back in time on the runs (one older than the newest, e.g.).