Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Displaying chart in real-time with fixed earliest/latest

ohlafl
Communicator
‎08-17-2015 06:42 AM

I have a query that overlays the value of one date with the value of another date, it is put together as this:

... earliest=@d+9h latest=@d+17h ... | appendcols [ ... earliest=someDate:09:00:00 latest=someDate:17:00:00 ... ]

The time frame is set to "All time" since someDate can be any date and is input as a result of drop downs. I would like to show the value of the first search in real time, how would this be done? I'm thinking about force updating the chart each 1 minute or something... "All time (real-time)" doesn't work as it only displays the value from when the search is done and forward.

Can I replace @d+9h with some dynamic solution to just show the value between business hours?

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-20-2015 05:23 AM

Well, the obvious solution to update the dashboard is to add refresh = seconds to your dashboard or form tag, e.g.

<dashboard refresh="60">
  <row>
    ...

You can also do this only with specific panels with refresh.auto.interval, see here for the Simple XML reference.

PS: using earliest and latest with real-time search ranges directly in a search is not supported as described here. You could however define a time range picker option and select that; you can then specify another non-real-time range with earliest and latest for your subsearch.

Reply

ohlafl
Communicator
‎08-20-2015 05:52 AM

Ah, that auto-refresh feature is really nice. I don't really understand the PS part but I think that would be even better? Could you possibly give an example?

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎08-21-2015 12:33 AM

Have you read the document at the link provided? It says that you can't use earliest=rt-1d@d or something like that within your search string. You can however place such a setting in times.conf to add them to the time range picker as a preset. That way, you can select a real-time search for the main search. Sadly, this is still not exactly what you asked for, because it doesn't contain the @d+9h offset.
I had another idea for that: you could calculate the seconds passed since midnight and see if that number is between 32400 and 61200, like this:

| eval e_day=strptime(strftime(_time, "%y %m %d"), "%y %m %d") | eval t_today=_time-e_day | where t_today>32400 AND t_today<61200
0 Karma
Reply

ohlafl
Communicator
‎08-18-2015 06:26 AM

Any ideas on this?

0 Karma
Reply

ohlafl
Communicator
‎08-20-2015 04:32 AM

Still nothing? Perhaps it is not possible. Karma awarded!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...