Dashboards & Visualizations

Is there an efficient way to access earliestTime/latestTime of a scheduled search in a dashboard?

cphair
Builder

I have a monthly scheduled search whose data I loadjob into a dashboard. I'd like to display the timeframe on the dashboard for the most recent run of the search, so users know whether they're looking at the most current data--not when it was supposed to run, but when it actually ran. Is there a rest search command or something to access the earliest/latest data for the most recent run of a scheduled search?

0 Karma

pradeepkumarg
Influencer

Audit logs should give you the information you are looking for

index=_audit source=audittrail savedsearch_name="YOUR_SAVED_SEARCH_NAME"| convert ctime(search_et) as EARLIEST| convert ctime(search_lt) as LATEST
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...