Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Defining a Real time search window

oreni
Explorer
‎10-27-2011 07:01 AM

Hello,

I would like to set a real time search which counts events occurred starting from the beginning of the day (12am) until current time.

Using the convention of "earliest=-0d@d latest=rt" yielded an error.

Any ideas on how to define such window in real time search ?

Thanks.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-28-2011 05:20 AM

Hi oreni

The 'rt' values are not designed to be used within the search language. They are configuration values that can be used inside times.conf (to add predefined options to the Time Range Picker), in the saved search dialog or if you were directly using the REST API to access the splunk backend search engine.

I just tested it and this entry in times.conf works fine in 4.1.8:

[rt-yesterday]
label = Real-Time Yesterday
earliest_time = rt-1d@d
latest_time = rt
order = 10

cheers

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-28-2011 05:20 AM

Hi oreni

The 'rt' values are not designed to be used within the search language. They are configuration values that can be used inside times.conf (to add predefined options to the Time Range Picker), in the saved search dialog or if you were directly using the REST API to access the splunk backend search engine.

I just tested it and this entry in times.conf works fine in 4.1.8:

[rt-yesterday]
label = Real-Time Yesterday
earliest_time = rt-1d@d
latest_time = rt
order = 10

cheers

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-27-2011 07:18 AM

Hi oreni

did you enable the Real-time backfill in limits.conf?

cheers

Reply
Solved! Jump to solution

oreni
Explorer
‎10-27-2011 07:22 AM

Yes, I've set this flag to true and still there was no change.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...