earliest=-30d@d latest=@m sourcetype=Apps (sub_source!="'A'" AND sub_source!="'B'")
AND
(((Hosted="TEST") AND (err_time > "'04/22/2015 01:00:00'"))
OR
((Hosted="PROD") AND (err_time < "'04/22/2015 01:00:00'")))
I need to find a way to automate this search so it will show the past 24hr from TEST with the past 30 days of PROD without having to manually change the date every time I want to run it. Any help would be greatly appreciated! Thanks
Hi try something like this:
|multisearch [search earliest =- 24h
sourcetype= Apps (sub_source != "'A'"
AND sub_source != "'B'" )
AND
((( Hosted= "TEST" ) AND (err_time >
"'04/22/2015 01:00:00'" )) ]
[search earliest =- 30 d@d latest = @m
sourcetype= Apps (sub_source != "'A'"
AND sub_source != "'B'" )
AND
( (( Hosted ="PROD" ) AND (err_time <
"'04/22/2015 01:00:00'" ))) ] |continue_here
At the place of continue_here you can do what you want,an eval,table,chart............
Hi try something like this:
|multisearch [search earliest =- 24h
sourcetype= Apps (sub_source != "'A'"
AND sub_source != "'B'" )
AND
((( Hosted= "TEST" ) AND (err_time >
"'04/22/2015 01:00:00'" )) ]
[search earliest =- 30 d@d latest = @m
sourcetype= Apps (sub_source != "'A'"
AND sub_source != "'B'" )
AND
( (( Hosted ="PROD" ) AND (err_time <
"'04/22/2015 01:00:00'" ))) ] |continue_here
At the place of continue_here you can do what you want,an eval,table,chart............
Thank you!
pl can i have all the sample of you code pl