Hello,

I have a very peculiar time problem that I want to fix with a quick and dirty fix. I am creating a sparkline that I need for a real-time dashboard for the SOC. The problem is that I have a sourcetype and source filename from multiple different servers with different timezone settings. The logfile timestamp doesn't contain the timezone differentiator so it's difficult to write something in the inputs for these files.

A solution that will work though is that if i could see logs for the "earliest=-4h" and "latest=-2h" of course, the problem with this is that it's not real-time and has to be refreshed manually. The logs 2 hours ago are the current latest logs.

So based on http://docs.splunk.com/Documentation/Splunk/latest/Search/Specifytimemodifiersinyoursearch I have come up with:

-2h@now-2h
now@-2h
-2h@now

None of these work and I can't save the sparkline dashboard panel. Am I getting the syntax wrong or is this just not supposed to work this way?

Thanks!

Ken