I am having trouble crafting a search to identify auto-finalized or truncated searches.
This is the search I am using currently.
index="_internal" status="skipped" search_type="scheduled"
| eval Scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S")
| stats values(Scheduled) as Scheduled
values(status) as Status
values(user) as User
values(savedsearch_id) as Savedsearch_id
values(savedsearch_name) as Savedsearch_name
values(reason) as Reason
by _time,savedsearch_name
| sort - Scheduled
| table Scheduled Status User Savedsearch_id Savedsearch_name Reason
index="_internal" status="skipped" search_type="scheduled"
| eval Scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S")
| stats values(Scheduled) as Scheduled
values(status) as Status
values(user) as User
values(savedsearch_id) as Savedsearch_id
values(savedsearch_name) as Savedsearch_name
values(reason) as Reason
by _time,savedsearch_name
| sort 0 - Scheduled
| table Scheduled Status User Savedsearch_id Savedsearch_name Reason
Hi, Removed restriction by sort 0 - Scheduled