check if the data that you have manually running your search are in the time window of the scheduled report.
In other words, if you scheduled the report to run at 10.00 taking logs in the last hour, check if there were logs from 9.00 to 10.00, maybe manually running your report at 10.15 you have logs after 10.00 but not before.
In this case you have to reschedule your report.
it's difficoult to debug the report without seeing it!
Anyway, check the user running the scheduled report and, if possible, give (eventually only for test) the grant to everyone in read to all the knowledge objects (eventtypes, fields, lookups, etc...) used in the report.
Hello. I have an admin role.
Sharing - > global (all apps)
The following messages were returned by the search subsystem:
info : No results. Created empty file 'file.csv'
info : Your timerange was substituted based on your search string
index=«indexname» earliest=-1w@w latest=now
| table abc1 abc2 abc3
| join abc3 type=left[
| search index=«indexname» earliest=1 latest=now
| table abc3,abc4, abc5]
| regex abc4="^(?:10|9)\.$"
so events with sourcetype1 arreve every week and events with sourcetype2 arrive every month, is it correct?
Please try this different approach to regex, because probably the problem is that there's the limit of 50,000 results in subsearches:
(index=your_index earliest=-1w@w latest=now) OR (index=your_index earliest=-1mon@mon latest=now) | stats values(abc1) AS abc1 values(abc2) AS abc2 values(abc4) AS abc4 values(abc5) AS abc5 BY abc3
Sorry I cannor read the regex, please, when you share code 8especially regexes) use the "Insert/Edit Code Sample" button.
earliest=1 latest=now it is (all time.)
there are two sourcetype in the index
sourcetype1 = abc1, abc2, abc3
sourcetype2 = abc3, abc4, abc5
In the "sourcetype1", data is received every week
In a "sourcetype2", data is received every month