Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Displaying chart in real-time with fixed earliest/latest

ohlafl
Communicator
‎08-17-2015 06:42 AM

I have a query that overlays the value of one date with the value of another date, it is put together as this:

... earliest=@d+9h latest=@d+17h ... | appendcols [ ... earliest=someDate:09:00:00 latest=someDate:17:00:00 ... ]

The time frame is set to "All time" since someDate can be any date and is input as a result of drop downs. I would like to show the value of the first search in real time, how would this be done? I'm thinking about force updating the chart each 1 minute or something... "All time (real-time)" doesn't work as it only displays the value from when the search is done and forward.

Can I replace @d+9h with some dynamic solution to just show the value between business hours?

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-20-2015 05:23 AM

Well, the obvious solution to update the dashboard is to add refresh = seconds to your dashboard or form tag, e.g.

<dashboard refresh="60">
  <row>
    ...

You can also do this only with specific panels with refresh.auto.interval, see here for the Simple XML reference.

PS: using earliest and latest with real-time search ranges directly in a search is not supported as described here. You could however define a time range picker option and select that; you can then specify another non-real-time range with earliest and latest for your subsearch.

Reply

ohlafl
Communicator
‎08-20-2015 05:52 AM

Ah, that auto-refresh feature is really nice. I don't really understand the PS part but I think that would be even better? Could you possibly give an example?

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-21-2015 12:33 AM

Have you read the document at the link provided? It says that you can't use earliest=rt-1d@d or something like that within your search string. You can however place such a setting in times.conf to add them to the time range picker as a preset. That way, you can select a real-time search for the main search. Sadly, this is still not exactly what you asked for, because it doesn't contain the @d+9h offset.
I had another idea for that: you could calculate the seconds passed since midnight and see if that number is between 32400 and 61200, like this:

| eval e_day=strptime(strftime(_time, "%y %m %d"), "%y %m %d") | eval t_today=_time-e_day | where t_today>32400 AND t_today<61200
0 Karma
Reply

ohlafl
Communicator
‎08-18-2015 06:26 AM

Any ideas on this?

0 Karma
Reply

ohlafl
Communicator
‎08-20-2015 04:32 AM

Still nothing? Perhaps it is not possible. Karma awarded!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...