Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Defining a Real time search window

oreni
Explorer
‎10-27-2011 07:01 AM

Hello,

I would like to set a real time search which counts events occurred starting from the beginning of the day (12am) until current time.

Using the convention of "earliest=-0d@d latest=rt" yielded an error.

Any ideas on how to define such window in real time search ?

Thanks.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-28-2011 05:20 AM

Hi oreni

The 'rt' values are not designed to be used within the search language. They are configuration values that can be used inside times.conf (to add predefined options to the Time Range Picker), in the saved search dialog or if you were directly using the REST API to access the splunk backend search engine.

I just tested it and this entry in times.conf works fine in 4.1.8:

[rt-yesterday]
label = Real-Time Yesterday
earliest_time = rt-1d@d
latest_time = rt
order = 10

cheers

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-28-2011 05:20 AM

Hi oreni

The 'rt' values are not designed to be used within the search language. They are configuration values that can be used inside times.conf (to add predefined options to the Time Range Picker), in the saved search dialog or if you were directly using the REST API to access the splunk backend search engine.

I just tested it and this entry in times.conf works fine in 4.1.8:

[rt-yesterday]
label = Real-Time Yesterday
earliest_time = rt-1d@d
latest_time = rt
order = 10

cheers

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-27-2011 07:18 AM

Hi oreni

did you enable the Real-time backfill in limits.conf?

cheers

Reply
Solved! Jump to solution

oreni
Explorer
‎10-27-2011 07:22 AM

Yes, I've set this flag to true and still there was no change.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...