https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99115#M25586 <P>Hi oreni</P> <P>did you enable the <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/RealtimeSearch?r=searchtip#Specify_real-time_time_range_windows">Real-time backfill</A> in limits.conf?</P> <P>cheers</P> Thu, 27 Oct 2011 14:18:14 GMT MuS 2011-10-27T14:18:14Z https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99114#M25585 <P>Hello, </P> <P>I would like to set a real time search which counts events occurred starting from the beginning of the day (12am) until current time. </P> <P>Using the convention of "earliest=-0d@d latest=rt" yielded an error. </P> <P>Any ideas on how to define such window in real time search ? </P> <P>Thanks.</P> Thu, 27 Oct 2011 14:01:09 GMT https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99114#M25585 oreni 2011-10-27T14:01:09Z https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99115#M25586 <P>Hi oreni</P> <P>did you enable the <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/RealtimeSearch?r=searchtip#Specify_real-time_time_range_windows">Real-time backfill</A> in limits.conf?</P> <P>cheers</P> Thu, 27 Oct 2011 14:18:14 GMT https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99115#M25586 MuS 2011-10-27T14:18:14Z https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99116#M25587 <P>Yes, I've set this flag to true and still there was no change.</P> Thu, 27 Oct 2011 14:22:54 GMT https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99116#M25587 oreni 2011-10-27T14:22:54Z https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99117#M25588 <P>Hi oreni</P> <P>The 'rt' values are not designed to be used within the search language. They are configuration values that can be used inside times.conf (to add predefined options to the Time Range Picker), in the saved search dialog or if you were directly using the REST API to access the splunk backend search engine.</P> <P>I just tested it and this entry in times.conf works fine in 4.1.8:</P> <PRE><CODE>[rt-yesterday] label = Real-Time Yesterday earliest_time = rt-1d@d latest_time = rt order = 10 </CODE></PRE> <P>cheers</P> Fri, 28 Oct 2011 12:20:47 GMT https://community.splunk.com/t5/Splunk-Search/Defining-a-Real-time-search-window/m-p/99117#M25588 MuS 2011-10-28T12:20:47Z