I have a query that overlays the value of one date with the value of another date, it is put together as this:
... earliest=@d+9h latest=@d+17h ... | appendcols [ ... earliest=someDate:09:00:00 latest=someDate:17:00:00 ... ]
The time frame is set to "All time" since someDate can be any date and is input as a result of drop downs. I would like to show the value of the first search in real time, how would this be done? I'm thinking about force updating the chart each 1 minute or something... "All time (real-time)" doesn't work as it only displays the value from when the search is done and forward.
Can I replace @d+9h with some dynamic solution to just show the value between business hours?
Well, the obvious solution to update the dashboard is to add refresh = seconds
to your dashboard
or form
tag, e.g.
<dashboard refresh="60">
<row>
...
refresh.auto.interval
, see here for the Simple XML reference.PS: using earliest
and latest
with real-time search ranges directly in a search is not supported as described here. You could however define a time range picker option and select that; you can then specify another non-real-time range with earliest
and latest
for your subsearch.
Ah, that auto-refresh feature is really nice. I don't really understand the PS part but I think that would be even better? Could you possibly give an example?
Have you read the document at the link provided? It says that you can't use earliest=rt-1d@d
or something like that within your search string. You can however place such a setting in times.conf to add them to the time range picker as a preset. That way, you can select a real-time search for the main search. Sadly, this is still not exactly what you asked for, because it doesn't contain the @d+9h
offset.
I had another idea for that: you could calculate the seconds passed since midnight and see if that number is between 32400 and 61200, like this:
| eval e_day=strptime(strftime(_time, "%y %m %d"), "%y %m %d") | eval t_today=_time-e_day | where t_today>32400 AND t_today<61200
Any ideas on this?
Still nothing? Perhaps it is not possible. Karma awarded!