I am trying to run a search that returns one row of results over a long historical time window on a per hour basis.
Due to investigation method, I need to run this over around almost 60 days.
The search cannot be timecharted or timeboxed via stats because there are subsearches that return fields relevant for that particular hour...
I was thinking of the below search in a scheduled search...
Each time range will have a row with results as well because we have append=true
The problem is, if there are no results than the row is not generated, & as a result, the time lookup is stuck at that time, window & stale..
How do I account for this?
Is there a better approach to run searches multiple times on a time basis. e.g 1 hour.
[| inputlookup results_and_time.csv
| tail 1
| fields earliestTime latestTime
| rename earliestTime as earliest , latestTime as latest
| stats values(sourcetype) as sourcetype earliest(info_min_time) as earliestTime , latest(info_max_time) as latestTime
| eval earliestTime = relative_time(earliestTime,"+1h") , latestTime = relative_time(latestTime,"+1h")
| outputlookup append=true results_and_time.csv
p.s. Adding the time range manually for the initial run without the inputlookup to add the earliest & latest..
... View more