https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73350#M18349 <P>Thank you for the helpful answer. If Real-time search can only be set at the API level, what is a good example to do this? I am using the Python SDK and I would like to find a way to setup Real-time search. I am starting with the "search.py" example. </P> <P>Thank you</P> Mon, 03 Oct 2016 05:30:29 GMT mindtouch_adria 2016-10-03T05:30:29Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73342#M18341 <P>I am trying to make an external dashboard for splunk that needs to be real time. At the moment, all we can do is make a script on our end to resend the search every so often and refresh the page for the new results. <BR /> What I want to know, however, is if there is a way to query splunk to make a real time search.<BR /> In other words, can a real time search be executed from some syntax in the search string? Without using the time range picker whatsoever?</P> <P>EDIT: I have tried to use "<CODE>earliest=rt-10m latest=rt</CODE>" but got an error saying: <CODE>Invalid value "rt-5m" for time term 'earliest'</CODE></P> Thu, 16 Feb 2012 21:45:57 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73342#M18341 atreece 2012-02-16T21:45:57Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73343#M18342 <P>Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:</P> <PRE><CODE>foobar=fizbaz earliest=rt-5 latest=rt </CODE></PRE> <P><STRONG>UPDATE:</STRONG> I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?</P> Tue, 21 Feb 2012 16:46:38 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73343#M18342 araitz 2012-02-21T16:46:38Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73344#M18343 <P>That's exactly what I thought should work, but when I tried it, I got an error.<BR /> Is there an additional parameter I need? or would this involve the config files?</P> Tue, 21 Feb 2012 18:39:52 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73344#M18343 atreece 2012-02-21T18:39:52Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73345#M18344 <P>What is the error that you receive?</P> Tue, 21 Feb 2012 18:57:35 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73345#M18344 araitz 2012-02-21T18:57:35Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73346#M18345 <P>Invalid value "rt-5m" for time term 'earliest'</P> Tue, 21 Feb 2012 19:01:45 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73346#M18345 atreece 2012-02-21T19:01:45Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73347#M18346 <P>I get the same for "rt-5"</P> Tue, 21 Feb 2012 19:02:29 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73347#M18346 atreece 2012-02-21T19:02:29Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73348#M18347 <P>See my updated post above.</P> Tue, 21 Feb 2012 19:26:20 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73348#M18347 araitz 2012-02-21T19:26:20Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73349#M18348 <P>ok, thank you</P> Tue, 21 Feb 2012 19:37:05 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73349#M18348 atreece 2012-02-21T19:37:05Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73350#M18349 <P>Thank you for the helpful answer. If Real-time search can only be set at the API level, what is a good example to do this? I am using the Python SDK and I would like to find a way to setup Real-time search. I am starting with the "search.py" example. </P> <P>Thank you</P> Mon, 03 Oct 2016 05:30:29 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73350#M18349 mindtouch_adria 2016-10-03T05:30:29Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73351#M18350 <P>This should really be an independent question, though probably this answer should link to that information.</P> <P>When interacting at the api level, the client has an explicitly choice of the first command, and can select rtsearch instead of search. However, you'll have to select different values for et / lt typically, such as the above discussed rt-5m.</P> Mon, 03 Oct 2016 19:21:35 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73351#M18350 jrodman 2016-10-03T19:21:35Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73352#M18351 <P>Ok, thanks jrodman. I'll create a new question. </P> Mon, 03 Oct 2016 22:09:49 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73352#M18351 mindtouch_adria 2016-10-03T22:09:49Z https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73353#M18352 <P>New Question:</P> <P><A href="https://answers.splunk.com/answers/456597/how-to-create-a-real-time-search-of-data-received.html">https://answers.splunk.com/answers/456597/how-to-create-a-real-time-search-of-data-received.html</A></P> Tue, 04 Oct 2016 18:48:37 GMT https://community.splunk.com/t5/Splunk-Search/Querying-a-Real-Time-search/m-p/73353#M18352 mindtouch_adria 2016-10-04T18:48:37Z