Good day All,

We have enabled the searches as durable searches. In our environment due to any one or other activity the scheduled search may skip or go in delegate_remote_error or go in delegate_remote_completion with success=0. In those cases I wanted to take the last status of that scheduled search + scheduled time and check if that time period accomodates in upcoming durable_cursor. How to achieve this?

I tried with below one but this just fits for successful ones. How to get the failed ones too.

I am running the subsearch to take the savedsearches with scheduled time which is not success in the last 7 hours and taking those for further search to check if that durable_cursor has taken up for the next run and if it is success. Is this right approach. Or any other alternate approach available?

index=_internal sourcetype=scheduler [search index=_internal sourcetype=scheduler earliest=-7h@h latest=now | stats latest(status) as FirstStatus by scheduled_time savedsearch_name | search NOT FirstStatus IN ("success","delegated_remote") | eval Flag=if(FirstStatus="delegated_remote_completion" OR FirstStatus="delegated_remote_error",scheduled_time,"NO VALUE") | fields Flag savedsearch_name | rename Flag as durable_cursor ] | stats values(status) as FinalStatus values(durable_cursor) as durable_cursor by savedsearch_name scheduled_time