Solved: Real-time search with fixed start

marksnelling · ‎07-04-2012

I'd like to create a real-time search and chart plotting logged values since midnight. My search is below.
eventtype="val_update" | rex "(?i) val=(?P<pnl>.+)" | timechart latest(val) span=3m

When setting the search window how can I use the rt value for the latest time with something like @d for the earliest time?

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

View solution in original post

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

Drainy · ‎07-05-2012

To do a realtime backfill with a snap to day you just use earliest as rt-d@d and latest as rt

Drainy · ‎07-08-2012

Sorry, its rt-d@d, typo in my answer 🙂

marksnelling · ‎07-05-2012

If I understand this correctly, I should use rt-@d in the Earliest field in the search Custom Time range? If I do this Splunk complains it's an invalid time string.

Real-time search with fixed start

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Real-time search with fixed start

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!