Solved: Real-time search with fixed start

marksnelling · ‎07-04-2012

I'd like to create a real-time search and chart plotting logged values since midnight. My search is below.
eventtype="val_update" | rex "(?i) val=(?P<pnl>.+)" | timechart latest(val) span=3m

When setting the search window how can I use the rt value for the latest time with something like @d for the earliest time?

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

View solution in original post

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

Drainy · ‎07-05-2012

To do a realtime backfill with a snap to day you just use earliest as rt-d@d and latest as rt

Drainy · ‎07-08-2012

Sorry, its rt-d@d, typo in my answer 🙂

marksnelling · ‎07-05-2012

If I understand this correctly, I should use rt-@d in the Earliest field in the search Custom Time range? If I do this Splunk complains it's an invalid time string.

Real-time search with fixed start

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation