    Scheduled report misfire in 5.7 ?


      I just upgraded our LEM in Test to 5.7. I sent the Failed Logon event to nDepth, saved it, then created a schedule to e-mail me a report daily 1 second after midnight. About 2 minutes later, it e-mailed me a report... am I missing something about how the schedule time works?

          I tried to replicate this, but I wasn't able to.  I just setup an "All Events for the Last Day" report (my lab doesn't generate a ton of traffic) and asked it to run in 10 minutes...and nothing happened for ten minutes.


          If you create a new search, does this happen a second time?  I notice the default schedule for daily is to run NOW, so is it possible you saved the search, then edited the schedule after the run NOW condition was met?

            nicole pauls

            My guess: if the system believes you're scheduling a search that runs on some regular timeframe (like, daily) and you schedule it for a time that's past on that day, it's going to run it NOW for today (since it believes it missed your schedule), then on your schedule.