cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Materialize() and time ranges in analytics rules

ReganDangerCarey
Brass Contributor

‎Apr 13 2022 07:00 PM

‎Apr 13 2022 07:00 PM

Materialize() and time ranges in analytics rules

Hi all, was looking for some clarification around this but wasn't able to find anything online that could confirm one way or another.

 

If I want to use the materialize() function to cache 180d worth of data for use in my query, is it possible to use in an Analytics Rule? The 14d lookback limitation is there, and was wondering if materialize() is thus also restricted to 14 days maximum. My gut feel says it is, but some clear clarification on that would be awesome. 

Labels:
974 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by ReganDangerCarey (Brass Contributor)
Gary Bushey

‎Apr 14 2022 04:57 AM

‎Apr 14 2022 04:57 AM

Solution

Re: Materialize() and time ranges in analytics rules

@ReganDangerCarey You are correct in that you *cannot* cache 180days and use it in an Analytic rule.   The Analytics rules actually ignore any sort of time reference in the query (i.e. | where TimeGenerated > ago(180d)  )  so there is no way to specify you want to look more than 14 days in the past.

1 Like
Reply
Clive_Watson

‎Apr 18 2022 11:40 PM

‎Apr 18 2022 11:40 PM

Re: Materialize() and time ranges in analytics rules

Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 the workaround for “14days use case” starts at 42min - it works but only if you really really need to use it.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by ReganDangerCarey (Brass Contributor)
Gary Bushey

‎Apr 14 2022 04:57 AM

‎Apr 14 2022 04:57 AM

Solution

Re: Materialize() and time ranges in analytics rules

@ReganDangerCarey You are correct in that you *cannot* cache 180days and use it in an Analytic rule.   The Analytics rules actually ignore any sort of time reference in the query (i.e. | where TimeGenerated > ago(180d)  )  so there is no way to specify you want to look more than 14 days in the past.

View solution in original post

1 Like
Reply