I partially solved the problem by substituting the timeadded for timegenerated field. Timeadded is the time the scom db records an event. ... View more

I solved the problem by creating a drop-down menu allowing the user to choose a host (and time-range). The selected host is plugged into a pipeline that feeds an arbitrary filter. Hosts: myhosts | metadata type=hosts True main host host myhosts stringreplace True host= $target$ $host$ | head sourcetype_setting stringreplace True sourcetype= $target$ 24h False Submit flashtimeline ... View more

Could you give an example? ... View more

We allow user A to see logs from machines 1, 3 & 9, and user B machines 2, 3, & 4. We want user A to monitor errors on 1,3 & 9; likewise B monitors 2,3 & 4. We could teach A and B how to perform the search for each machine and instruct them save the search to simplify their job. However, we have hundreds of users and would prefer to automate the process one way or the other. Creating savedsearches at login seems like an obvious way, but perhaps there's another. I'm also looking at adding the above search to our app and linking the specific machines to the search within the app. ... View more

I want to provide our user with a simple way to perform their required log reviews. If they all need to look for certain events, they'll end up creating the same saved searches to perform the job and email the results. I'd rather create the common searches automatically and save everyone the manual and repetitious effort. ... View more