I have a query that overlays the value of one date with the value of another date, it is put together as this:
... earliest=@d+9h latest=@d+17h ... | appendcols [ ... earliest=someDate:09:00:00 latest=someDate:17:00:00 ... ]
The time frame is set to "All time" since someDate can be any date and is input as a result of drop downs. I would like to show the value of the first search in real time, how would this be done? I'm thinking about force updating the chart each 1 minute or something... "All time (real-time)" doesn't work as it only displays the value from when the search is done and forward.
Can I replace @d+9h with some dynamic solution to just show the value between business hours?
Well, the obvious solution to update the dashboard is to add
refresh = seconds to your
form tag, e.g.
<dashboard refresh="60"> <row> ...
refresh.auto.interval, see here for the Simple XML reference.
latest with real-time search ranges directly in a search is not supported as described here. You could however define a time range picker option and select that; you can then specify another non-real-time range with
latest for your subsearch.
Have you read the document at the link provided? It says that you can't use
earliest=rt-1d@d or something like that within your search string. You can however place such a setting in times.conf to add them to the time range picker as a preset. That way, you can select a real-time search for the main search. Sadly, this is still not exactly what you asked for, because it doesn't contain the
I had another idea for that: you could calculate the seconds passed since midnight and see if that number is between 32400 and 61200, like this:
| eval e_day=strptime(strftime(_time, "%y %m %d"), "%y %m %d") | eval t_today=_time-e_day | where t_today>32400 AND t_today<61200