I have dashboard which has user input to select host (from dropdown) and timerange-
since its big search I was thinking to create scheduled saved search which will run periodically and this saved search will be referred in dashboard .
1. since in dashboard I have dropdown to select host so while writing scheduled saved search I need to mention host=* in query to run for all host?
2. and if I am running saved search on last 3 days periodically but in my dashboard if I select timerange as last 7 days then does it will rerun the search over last 7 days or how it will work?
Please clarify above points.
Note-I have multiple host and from each host high amount of data is coming.
You cannot have variable time ranges or parameters on a scheduled saved search.
I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.
If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host
| loadjob sid
| search host IN ($selected_hosts$)
Hope this helps.
Cheers.
You cannot have variable time ranges or parameters on a scheduled saved search.
I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.
If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host
| loadjob sid
| search host IN ($selected_hosts$)
Hope this helps.
Cheers.
This makes sense to me..Thank a lot @arjunpkishore5