I have set this alert up, which i want to show me the results of "today"
index=_internal source="*license_usage.lo*" type=Usage pool="Linux Pool"| stats sum(b) as bytes | eval gb=bytes/1024/1024/1024
but when it sends me an email, the results are not correct. I can click the link to "view in splunk", and at that point the time range is set as "date time range" and not as "today".
How can i set this to always be "today" in my search/alert?
Thanks!
↧