Solved: Real-time search with fixed start

marksnelling · ‎07-04-2012

I'd like to create a real-time search and chart plotting logged values since midnight. My search is below.
eventtype="val_update" | rex "(?i) val=(?P<pnl>.+)" | timechart latest(val) span=3m

When setting the search window how can I use the rt value for the latest time with something like @d for the earliest time?

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

View solution in original post

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

Drainy · ‎07-05-2012

To do a realtime backfill with a snap to day you just use earliest as rt-d@d and latest as rt

Drainy · ‎07-08-2012

Sorry, its rt-d@d, typo in my answer 🙂

marksnelling · ‎07-05-2012

If I understand this correctly, I should use rt-@d in the Earliest field in the search Custom Time range? If I do this Splunk complains it's an invalid time string.

Real-time search with fixed start

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation