Scheduled Views
Scheduled Views speed the search process for small and historical subsets of your data by functioning as a pre-aggregated index.
- Due to the way data is indexed not all operators are supported in Scheduled Views. See our list of supported operators.
- There is a limit of 500 Scheduled Views per account.
- Scheduled View queries run once per minute.
- Queries that run against Scheduled Views return search results much faster because the data is pre-aggregated before the query is run.
- Creating a Scheduled View for a query can vastly reduce the amount of data scanned at search time.
- Scheduled Views can include historical data from as far back as the beginning of your retention period (say, 60 days or 90 days). Because historical data is included, Scheduled Views can help uncover long-term trends.
- You can use Scheduled Views in Scheduled Searches, Dashboards, and ad hoc searches. Your Dashboards can include a large quantity of data without sacrificing performance.
- Scheduled Views are assigned to the InternalCollector index.
- Scheduled Views only count towards ingestion volume if they are non-aggregated raw results. Scheduled Views for aggregated results do not count towards ingestion volume.
- Account Admins and users whose role grants the "Manage Scheduled Views" role capability can set up Scheduled Views, but anyone in an organization can run searches against them. Other users' data access to a Scheduled View is governed by the search filters associated with their roles; they will only be able to see data to which their roles allow them access. For more information, see Construct a Search Filter for a Role.
How could my organization use Scheduled Views?
Web access trends. Creating a Scheduled View allows you to isolate logs related to your site, making it easy to report on web traffic patterns.
App usage metrics. A Scheduled View can help you track the usage of one or more applications over time. Depending on your deployment, you could build a Scheduled View for each application.
Threat analysis. Because a Scheduled View indexes any type of data, you could create a Scheduled View for firewall logs, for example. You could then leverage this Scheduled View to see how threat types and threat levels vary over time, or even which IPs from high-risk areas are hitting your site.
User behavior. A Scheduled View can be used to parse logins by user ID across your entire deployment, so you can answer audit-related questions quickly. Faster query results on this dataset allow for high-level investigations, such as checking to see if users have logged in during the past 60 days (or as far back as your retention period).
note
For Scheduled View query requirements, see Scheduled Views Best Practices and Examples.
Guide Contents
In this section, we will introduce the following concepts:
📄️ Add a Scheduled View
To create a Scheduled View you must be an admin or have the Manage Scheduled Views role capability.
📄️ Pause or Disable Scheduled Views
Pausing a view stops new data from being indexed. You can resume indexing at any time.
📄️ Run a Search Against a Scheduled View
Running a search against the indexed data in a Scheduled View is almost exactly the same as running any other query. The difference you'll notice is the quick speed at which results are returned, especially if you're searching over a long period of historical data.
📄️ Scheduled View Lag Time
When you view the details of a Scheduled View, you can see who created it, creation date, lag time, query, and any error messages that may have been generated.
📄️ Scheduled Views Best Practices and Examples
A Scheduled View reduces aggregate data down to the bare minimum, so they contain only the results that you need to generate your data. Queries that run against Scheduled Views return search results much faster because the data is pre-aggregated before the query is run. Scheduled Views process queries once per minute.
📄️ View Information About Scheduled Views
The page has information about viewing information about the scheduled views configured for your organization.