In Enterprise Security I have this correlation search which I believe includes searching through the previous 24 hours of events:
| inputlookup append=T listeningports_tracker | eval _time=firstTime | `hoursago(24)` | stats dc(dest) as dest_count by transport,dest_port | search dest_count>10
In the correlation search properties (Configure->Correlation Searches->Edit Correlation Search) you can specify a "time range". Would it be incorrect to specify the start time as -60m (previous 60 minutes) if the search string itself wants to go back 24 hours?
I'm confused about how the time range options affect searches that include defined time ranges.
Thanks.