I'm after some help on how to set up an adhoc search which displays to an ITSI Glass-table...
We've developed a number of dashboards which show the status of jobs, how many times they've run this period (normally each day) and what time they started and finished. This works great for jobs that are running daily.
We have 1 specific job that only runs if a file is present - typically that's only once or twice month. I want to use an adhoc search which shows us the date/time that it was last run - for a time window of the previous 31 days. This works great if the job has run in the past 2 days, but the Glass-table editor doesn't allow me to change the "earliest time" to anything other more than "2 days ago" - meaning that the dashboard displays a N/A.
If I manually run the search I get an option to extend the time-frame to the last 1 month, and the search works fine (today is 12th March, the job last ran on 09th March - which the manual search shows).
Is there a way of changing the "earliest time" on the Glass-Table to a longer time-frame that 2 days so we can display this info?
This is the search we are using (works fine manually):
index=mail" " "started" | stats latest(_time) as _time | eval last_processed_at="Last Run:" . strftime(_time, "%d/%m/%y, %H:%M") | table last_processed_at
This is the option that is presented on Glass-table editor:
If you are still having an issue with this, just as ansif said add earliest=-2d to your search, recommend like:
index=mail" " "started" earliest=-2d
The number minus (-) is backwards, the 2 can be any number, the d specifies days, if you want from the beginning of the day add @d (-2d@d), otherwise it is days ago from the current time.