I have a saved search that has a time range of All time. The saved search contains `eval` and `stats` functions that I want to apply to certain time ranges only. The saved search is All time because I need to generate the FirstSeen date of an event in the report. I've found I cannot do this and no Statistics are generated.
Example saved search:
`index="log" | eval Label= case((status="0"),"Other" | stats earliest(_time) as FirstSeen, latest(_time) as LastSeen count values by host Label`
When I reference this saved search in another report and specify a time range, in this case the last hour on the hour – no stats are generated.
`|savedsearch "Master Report" | where _time>=relative_time(now(), "-1h@h") AND _time<=relative_time(now(), "@h") | table host Label FirstSeen LastSeen`
Is it not possible to filter for time ranges when referencing a saved search that has a `stats` command?
↧