Solved: How can I run a windowed realtime seach from the c...

jrodman · ‎01-09-2013

I can run a search from the command line with time boundaries as earliest= and latest= as part of my search. And I can run a realtime search over all time from the command line using 'rtsearch'.

But if I try to run a realtime search with earliest= and latest= keywords as part of the search string, they aren't effective. How can I make this work?

Rob · ‎01-09-2013

Using 'earliest' and 'latest' may not work as mentioned in the following splunk answer:

http://splunk-base.splunk.com/answers/40885/querying-a-real-time-search#71382

Try using the following:

bin/splunk rtsearch 'index=_internal -earliest_time 'rt-30s'  -latest_time 'rt+30s'

-earliest_time and -latest_time should set the same-name arguments in the REST API.

View solution in original post

Rob · ‎01-09-2013

Using 'earliest' and 'latest' may not work as mentioned in the following splunk answer:

http://splunk-base.splunk.com/answers/40885/querying-a-real-time-search#71382

Try using the following:

bin/splunk rtsearch 'index=_internal -earliest_time 'rt-30s'  -latest_time 'rt+30s'

-earliest_time and -latest_time should set the same-name arguments in the REST API.

How can I run a windowed realtime seach from the command line?

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!