Solved: How can I run a windowed realtime seach from the c...

jrodman · ‎01-09-2013

I can run a search from the command line with time boundaries as earliest= and latest= as part of my search. And I can run a realtime search over all time from the command line using 'rtsearch'.

But if I try to run a realtime search with earliest= and latest= keywords as part of the search string, they aren't effective. How can I make this work?

Rob · ‎01-09-2013

Using 'earliest' and 'latest' may not work as mentioned in the following splunk answer:

http://splunk-base.splunk.com/answers/40885/querying-a-real-time-search#71382

Try using the following:

bin/splunk rtsearch 'index=_internal -earliest_time 'rt-30s'  -latest_time 'rt+30s'

-earliest_time and -latest_time should set the same-name arguments in the REST API.

View solution in original post

Rob · ‎01-09-2013

Using 'earliest' and 'latest' may not work as mentioned in the following splunk answer:

http://splunk-base.splunk.com/answers/40885/querying-a-real-time-search#71382

Try using the following:

bin/splunk rtsearch 'index=_internal -earliest_time 'rt-30s'  -latest_time 'rt+30s'

-earliest_time and -latest_time should set the same-name arguments in the REST API.

How can I run a windowed realtime seach from the command line?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How can I run a windowed realtime seach from the command line?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey