This is not ideal, since it requires a new event to come through to 'refresh' the display
Set up your real-time search for the last 24 hours, then filter it through something like this
.... | eval interval=relative_time(_time,"@d") | eventstats latest(interval) as latest_interval | where interval == latest_interval AND latest_interval == relative_time(time(),"@d") | ...
This'll only display events for the current day.
John
more or less this is for monitoring display.
the dashboard should be monitoring several metrics for violation.
however, this should be reset on a daily basis such that, when the next 24 hour shift takes over. it should already been cleared off instead of still showing up.
afaik this is currently not supported. There have been a number of requests to implement this functionality - let's hope it makes it into a future release at some point.
What are you looking to accomplish with a 'today' time range for real time. Maybe that will help us answer your question.