I am currently generating a summary index using the following saved search.
sourcetype=mail | sistats count as sbj_count by subject
Which I am accessing it using:
summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject
This works however I need an _time value which this does not have. I try to create one by changing the saved search, based on the documentation for summary indexing without a timestamp to
sourcetype=mail | sistats count as sbj_count by subject | eval _time=now()
and accessing it using
summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject | eval _time=now() | table _time,subject,sbj_count
Which produces the _time values as the time of my search rather than the time of the search which generated the summary index. How do I get the _time value to be the time that the summary index event ran rather than when I searched the summary index?
... View more