I have simple query which query the index to get the data in last 2 mints but i am seeing this query is failing because it took apiStartTime='Thu Jan 1 00:00:00 1970'
Here is full detail from audit index
Audit:[timestamp=09-15-2017 12:41:07.647, id=744860, user=admin, action=search, info=granted , search_id='1505479267.94198', search='search index=os sourcetype=cpu all earliest=-2m@m latest=-1m@m |dedup host| eval fields=split(_raw," ") | eval num=mvindex(fields,-1)| eval cpuUtilization = 100-num |eval human_readable_time=strftime(_time, "%Y-%m-%d %H:%M:%S") |table human_readable_time host cpuUtilization', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Thu Jan 1 00:00:00 1970', apiEndTime='MIN_TIME', savedsearch_name=""][OOj/tZOTT67cXMJngBqHtmpymXMqPZk1wkW1X026icQsZ7ngXEcld/gYjUW4Lx2dAKstiykGXcD7JQcFxlZWS5+k9opZO04TntE8VP9ZbcAwwyJqgm6pVnJnHE0nwtExDgrn3tFxp33fs2Xgj15106f59VCvM39d5WHA7b6oD8c=]
↧