Real Time search for Today()

EricksonOng · ‎04-24-2012

hi,

it is possible to do a real time search for today?
for the saved searches or reports, we can actually do a @d - now

if i would to do a rt-d that would actually bring me the result time result that will be in last 24 hours instead.

jonuwz · ‎08-27-2012

This is not ideal, since it requires a new event to come through to 'refresh' the display

Set up your real-time search for the last 24 hours, then filter it through something like this

.... | eval interval=relative_time(_time,"@d") | eventstats latest(interval) as latest_interval | where interval == latest_interval AND latest_interval == relative_time(time(),"@d") |  ...

This'll only display events for the current day.

John

EricksonOng · ‎08-27-2012

more or less this is for monitoring display.
the dashboard should be monitoring several metrics for violation.
however, this should be reset on a daily basis such that, when the next 24 hour shift takes over. it should already been cleared off instead of still showing up.

Ayn · ‎08-27-2012

afaik this is currently not supported. There have been a number of requests to implement this functionality - let's hope it makes it into a future release at some point.

sdaniels · ‎04-24-2012

What are you looking to accomplish with a 'today' time range for real time. Maybe that will help us answer your question.

Real Time search for Today()

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...