Hi there,
I'm looking to create an alert that searches for entries 30 days greater than today. So basically, if I run the alert in a search right now, and 31 days ago something was created, I want to see those results. I figured out that I need a where clause since the advanced search isn't retained when you save as>alert, but I can't figure out the correct way to write it. I'd appreciate any help. Thanks so much!
In your search, you can explicitly set a time range. This is true whether the search is used as an alert or a report. While you can do this by clicking the timerange selector, you can also do it in the search itself, like this:
sourcetype=xyx index=abc earliest=-31d@d latest=-30d@d
This says "start the search at the beginning of the day exactly 31 days ago, and end the search at the beginning of the day exactly 30 days ago."
Instead of "d" for day, you can also use (h)our, (m)inute, etc. Here is the list of time modifiers and a few examples.
You don't need a where command.
In your search, you can explicitly set a time range. This is true whether the search is used as an alert or a report. While you can do this by clicking the timerange selector, you can also do it in the search itself, like this:
sourcetype=xyx index=abc earliest=-31d@d latest=-30d@d
This says "start the search at the beginning of the day exactly 31 days ago, and end the search at the beginning of the day exactly 30 days ago."
Instead of "d" for day, you can also use (h)our, (m)inute, etc. Here is the list of time modifiers and a few examples.
You don't need a where command.
Thank you both very much. earliest=-31d@d latest=-30d@d did the trick.
Hi Prains,
I think it works if you use "-30d" in the Finish time.
Hope it helps