Solved: Start time search in splunk

Nixon1023 · ‎05-02-2011

How can I have a start time on my search, so that it starts every time reflecting the current time. I want to display a line chart/graph showing the beginning of my search as it progresses over time. My command so far is this......

source="/var/log/scenario1.log" | timechart span=5s max(host_bandwidth) by host

Chubbybunny · ‎05-02-2011

per http://www.splunk.com/base/Documentation/latest/User/RealtimeSearch
under the section 'Specify real-time time range windows':

The syntax for real-time time modifers is:

rt[+|-]<time_integer><time_unit>@<time_unit>

You can find more information about the syntax for time modifiers in the topic, Change the time range of your search.

http://www.splunk.com/base/Documentation/4.2.1/User/ChangeTheTimeRangeOfYourSearch

View solution in original post

Chubbybunny · ‎05-02-2011

per http://www.splunk.com/base/Documentation/latest/User/RealtimeSearch
under the section 'Specify real-time time range windows':

The syntax for real-time time modifers is:

rt[+|-]<time_integer><time_unit>@<time_unit>

You can find more information about the syntax for time modifiers in the topic, Change the time range of your search.

http://www.splunk.com/base/Documentation/4.2.1/User/ChangeTheTimeRangeOfYourSearch

Start time search in splunk

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services