Splunk Search

Is there a way to perform a real time search with a static start time?

jcspigler2010
Path Finder

Is there a way to do a real time search with a static start time? For example...

Select start time of march 19 @ 9:00 am and expand the latest time every 5 seconds? Instead of a sliding window of 5 minutes or 5 hours, it is more of an expanding window. I'm hoping this is relatively simple. I know earliest_time can set a static start time. Maybe this is the direction I want to go.

Thanks

0 Karma
1 Solution

niketnilay
Legend

I dont think you can mix and match real-time with non real-time time specifiers.
What you can try instead is to run the search for static time from march 19th till now and refresh search panel every 5 sec.

        <search>
          <query><Your Base Search with filters> earliest="03/19/2017:09:00:00" latest="now"
         | <Your Remaining search></query>
          ...
          ...
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

I dont think you can mix and match real-time with non real-time time specifiers.
What you can try instead is to run the search for static time from march 19th till now and refresh search panel every 5 sec.

        <search>
          <query><Your Base Search with filters> earliest="03/19/2017:09:00:00" latest="now"
         | <Your Remaining search></query>
          ...
          ...
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

jcspigler2010
Path Finder

Niketnilay,

I think this will work nicely. Thanks!

0 Karma

niketnilay
Legend

@jcspigler2010 glad it worked!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.