Hi hylam,
assuming your saved search is named foo...
How do I list them?
index=_audit savedsearch_name="foo" search_id='scheduler_*'
Can I run a subsearch to list them and pick the 5th one?
| loadjob [ search index=_audit savedsearch_name="foo" search_id='scheduler_*' | fields _time, search_id | sort - _time | head 5 | tail 1 | rename search_id AS search | eval search=replace(search, "\'","") ]
Can I run a subsearch to list them and pick a random one?
| loadjob [ search index=_audit savedsearch_name="foo" search_id='scheduler_*' | fields _time, search_id | sort - _time | eval random=random() | eval random=substr(random, 1, 1) | table search_id, random | dedup random | where random="7" | rename search_id AS search | eval search=replace(search, "\'","") | fields - random ]
Some messy work around since tail and head don't like to use $boo$ values 😉
Hope this helps ...
cheers, MuS
