https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90804#M23330 <P>I'd like to create a real-time search and chart plotting logged values since midnight. My search is below.<BR /> <CODE>eventtype="val_update" | rex "(?i) val=(?P&lt;pnl&gt;.+)" | timechart latest(val) span=3m</CODE></P> <P>When setting the search window how can I use the <CODE>rt</CODE> value for the latest time with something like <CODE>@d</CODE> for the earliest time?</P> Wed, 04 Jul 2012 15:33:56 GMT marksnelling 2012-07-04T15:33:56Z https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90804#M23330 <P>I'd like to create a real-time search and chart plotting logged values since midnight. My search is below.<BR /> <CODE>eventtype="val_update" | rex "(?i) val=(?P&lt;pnl&gt;.+)" | timechart latest(val) span=3m</CODE></P> <P>When setting the search window how can I use the <CODE>rt</CODE> value for the latest time with something like <CODE>@d</CODE> for the earliest time?</P> Wed, 04 Jul 2012 15:33:56 GMT https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90804#M23330 marksnelling 2012-07-04T15:33:56Z https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90805#M23331 <P>To do a realtime backfill with a snap to day you just use earliest as rt-d@d and latest as rt</P> Thu, 05 Jul 2012 08:17:54 GMT https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90805#M23331 Drainy 2012-07-05T08:17:54Z https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90806#M23332 <P>If I understand this correctly, I should use rt-@d in the Earliest field in the search Custom Time range? If I do this Splunk complains it's an invalid time string.</P> Thu, 05 Jul 2012 08:28:11 GMT https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90806#M23332 marksnelling 2012-07-05T08:28:11Z https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90807#M23333 <P>Sorry, its rt-d@d, typo in my answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 08 Jul 2012 11:12:43 GMT https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90807#M23333 Drainy 2012-07-08T11:12:43Z https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90808#M23334 <P>Actually rt-0@d seems to do what I want</P> Fri, 13 Jul 2012 12:09:07 GMT https://community.splunk.com/t5/Splunk-Search/Real-time-search-with-fixed-start/m-p/90808#M23334 marksnelling 2012-07-13T12:09:07Z