Solved: Real-time search with fixed start

marksnelling · ‎07-04-2012

I'd like to create a real-time search and chart plotting logged values since midnight. My search is below.
eventtype="val_update" | rex "(?i) val=(?P<pnl>.+)" | timechart latest(val) span=3m

When setting the search window how can I use the rt value for the latest time with something like @d for the earliest time?

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

View solution in original post

marksnelling · ‎07-13-2012

Actually rt-0@d seems to do what I want

Drainy · ‎07-05-2012

To do a realtime backfill with a snap to day you just use earliest as rt-d@d and latest as rt

Drainy · ‎07-08-2012

Sorry, its rt-d@d, typo in my answer 🙂

marksnelling · ‎07-05-2012

If I understand this correctly, I should use rt-@d in the Earliest field in the search Custom Time range? If I do this Splunk complains it's an invalid time string.

Real-time search with fixed start

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!