Forum Discussion
Solved
Materialize() and time ranges in analytics rules
Hi all, was looking for some clarification around this but wasn't able to find anything online that could confirm one way or another.
If I want to use the materialize() function to cache 180d worth of data for use in my query, is it possible to use in an Analytics Rule? The 14d lookback limitation is there, and was wondering if materialize() is thus also restricted to 14 days maximum. My gut feel says it is, but some clear clarification on that would be awesome.
ReganDangerCarey You are correct in that you *cannot* cache 180days and use it in an Analytic rule. The Analytics rules actually ignore any sort of time reference in the query (i.e. | where TimeGenerated > ago(180d) ) so there is no way to specify you want to look more than 14 days in the past.
ReganDangerCarey You are correct in that you *cannot* cache 180days and use it in an Analytic rule. The Analytics rules actually ignore any sort of time reference in the query (i.e. | where TimeGenerated > ago(180d) ) so there is no way to specify you want to look more than 14 days in the past.
- Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 the workaround for “14days use case” starts at 42min - it works but only if you really really need to use it.
