Splunk Search

Real-time search with fixed start

marksnelling
Communicator

I'd like to create a real-time search and chart plotting logged values since midnight. My search is below.
eventtype="val_update" | rex "(?i) val=(?P<pnl>.+)" | timechart latest(val) span=3m

When setting the search window how can I use the rt value for the latest time with something like @d for the earliest time?

Tags (1)
0 Karma
1 Solution

marksnelling
Communicator

Actually rt-0@d seems to do what I want

View solution in original post

marksnelling
Communicator

Actually rt-0@d seems to do what I want

Drainy
Champion

To do a realtime backfill with a snap to day you just use earliest as rt-d@d and latest as rt

Drainy
Champion

Sorry, its rt-d@d, typo in my answer :slightly_smiling_face:

0 Karma

marksnelling
Communicator

If I understand this correctly, I should use rt-@d in the Earliest field in the search Custom Time range? If I do this Splunk complains it's an invalid time string.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...