Scheduled Views speed the search process for small and historical subsets of your data by functioning as a pre-aggregated index. A Scheduled View reduces aggregate data down to the bare minimum, so it contains only the raw results that you need to generate your data.
- Scheduled View queries run once per minute.
- Queries that run against Scheduled Views return search results much faster because the data is pre-aggregated before the query is run.
- Creating a scheduled view for a query can vastly reduce the amount data scanned at search time—by as much as 1000%.
- Scheduled Views can include historical data from as far back as the beginning of your retention period (say, 60 days or 90 days). Because historical data is included, Scheduled Views can help uncover long-term trends.
- You can use Scheduled Views in Scheduled Searches, Dashboards, and ad hoc searches. Your Dashboards can include a large quantity of data without sacrificing performance.
- Scheduled Views are assigned to the InternalCollector index.
- Scheduled Views only count towards ingestion volume if they are non-aggregated raw results. Scheduled Views for aggregated results do not count towards ingestion volume.
- Only account Admins can set up Scheduled Views, but anyone in an organization can run searches against them.
How could my organization use Scheduled Views?
Web access trends. Creating a Scheduled View allows you to isolate logs related to your site, making it easy to report on web traffic patterns.
App usage metrics. A Scheduled View can help you track the usage of one or more applications over time. Depending on your deployment, you could build a Scheduled View for each application.
Threat analysis. Because a Scheduled View indexes any type of data, you could create a Scheduled View for firewall logs, for example. You could then leverage this Scheduled View to see how threat types and threat levels vary over time, or even which IPs from high-risk areas are hitting your site.
User behavior. A Scheduled View can be used to parse logins by user ID across your entire deployment, so you can answer audit-related questions quickly. Faster query results on this dataset allow for high-level investigations, such as checking to see if users have logged in during the past 60 days (or as far back as your retention period).