Splunk Search

Is there a way to perform a real time search with a static start time?

jcspigler2010
Path Finder

Is there a way to do a real time search with a static start time? For example...

Select start time of march 19 @ 9:00 am and expand the latest time every 5 seconds? Instead of a sliding window of 5 minutes or 5 hours, it is more of an expanding window. I'm hoping this is relatively simple. I know earliest_time can set a static start time. Maybe this is the direction I want to go.

Thanks

0 Karma
1 Solution

niketn
Legend

I dont think you can mix and match real-time with non real-time time specifiers.
What you can try instead is to run the search for static time from march 19th till now and refresh search panel every 5 sec.

        <search>
          <query><Your Base Search with filters> earliest="03/19/2017:09:00:00" latest="now"
         | <Your Remaining search></query>
          ...
          ...
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

I dont think you can mix and match real-time with non real-time time specifiers.
What you can try instead is to run the search for static time from march 19th till now and refresh search panel every 5 sec.

        <search>
          <query><Your Base Search with filters> earliest="03/19/2017:09:00:00" latest="now"
         | <Your Remaining search></query>
          ...
          ...
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jcspigler2010
Path Finder

Niketnilay,

I think this will work nicely. Thanks!

0 Karma

niketn
Legend

@jcspigler2010 glad it worked!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...