Re: rolling near-time results between 5 and 15 min...

dang · ‎04-11-2011

How do I add a relative time range to a search that will allow me to see data between 15 and 5 minutes ago (read: not quite "real time")? I can see in the splunk manager I can add a start time of -15m@m and an end time of -5m@m, but that only gives me one 10-minute window, and doesn't show continuous values over time.

Am I not formatting my timechart clause properly?

sideview · ‎04-11-2011

If you are looking for a 'real-time' search, meaning that while you watch the results, the 10 minute window is continually inching itself further along to keep up with real time, then you want to put "rt" in front of those timeranges:

rt-15m@m
rt-5m@m

http://www.splunk.com/base/Documentation/latest/User/RealtimeSearch

Of course this may not be what you're trying to do, but in that case I'm afraid I dont understand.

dang · ‎04-11-2011

I probably didn't want to use the phrase "real time" as it might confuse the issue. Here's the problem I'm trying to solve:

I've got a search which timecharts (with a span of 10min) the success rate of an event. Because data does not get processed instantaneously, I often get results greater than 100%. I'm thinking that if I look back just 5 minutes earlier, I might get more accurate results, without losing much in the way of seeing current data.

rolling near-time results between 5 and 15 minutes?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...