Hi ,
I have two searches joined using join command. The first search i need to run earliest=-60mins and the second search is using summary index here i need to fetch all the results in summary index so I need to check and run summary index for "all time" .
How can this be done? I am giving earliest=-60min in my first search and time range as "all time" while scheduling the report consisting of this two searches but it is not working.
I have not used any time in my summary index. Search to populate my summary index
index=testapp sourcetype=test_appresourceowners earliest=-24h latest=now
| table sys_id, dv_manager, dv_syncenabled, dv_resource, dv_recordactive
| collect addtime=false index=summaryindex source=testapp.
my scheduled report search
index=index1 earlies=-60m
| join host
[| search index=summaryindex earliest="alltime"]
| tablehost field1 field2
