Hi All,
i have search like this,
|savedsearch [search index=_internal |eval tnow6 = now() | convert ctime(tnow6) | eval s=substr(tnow6,15,15) |eval r=substr(s,0,2)|eval SwitcherValue2=case(r%2=1,"alert1",r%2=0,"alert2")|dedup SwitcherValue2|return $SwitcherValue2]|table _time * threshold|makecontinuous _time
here alert1 and alert2 are the saved searches,but i am facing problem sometimes splunk deamon not response.i thought due to index search taken long time so my search has timed out.
how to use inputlookup instead of index="_internal".
here my query every 1 minute my saved search has changed.
can u plz help me
... View more