https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146028#M40750 <P>Yes, this seems to make sense now.<BR /> I had radial gauges in my real-time dashboards that showed the count of incoming events in a 1-minute window.<BR /> It stopped working (always reporting zero) after I turned on DEBUG logging level on some application servers which increased incoming events from 1.5GB/day to about 36GB/day.</P> <P>I might have to look at clustering Splunk to process things faster if I want the 1-min real-time reporting?</P> Fri, 17 Apr 2015 18:23:33 GMT nk-1 2015-04-17T18:23:33Z https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146026#M40748 <P>Sample Splunk Web search in Splunk 6.1.3 (Windows Server 2012):</P> <PRE><CODE>host=MyHost level=INFO | stats count </CODE></PRE> <P>always returns zero if I use Real Time 1-minute window.<BR /> If I change to Real Time 5-minute window, I get numbers that change every couple of seconds.</P> <P>Why won't the 1-minute real-time window return results?</P> Thu, 16 Apr 2015 20:29:38 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146026#M40748 nk-1 2015-04-16T20:29:38Z https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146027#M40749 <P>Hi, When you simply do a ....|stats count ,splunk is doing statistics over all fields and that may take time so 1 minute window may be not be sufficient for that.</P> Thu, 16 Apr 2015 20:47:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146027#M40749 stephane_cyrill 2015-04-16T20:47:53Z https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146028#M40750 <P>Yes, this seems to make sense now.<BR /> I had radial gauges in my real-time dashboards that showed the count of incoming events in a 1-minute window.<BR /> It stopped working (always reporting zero) after I turned on DEBUG logging level on some application servers which increased incoming events from 1.5GB/day to about 36GB/day.</P> <P>I might have to look at clustering Splunk to process things faster if I want the 1-min real-time reporting?</P> Fri, 17 Apr 2015 18:23:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146028#M40750 nk-1 2015-04-17T18:23:33Z https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146029#M40751 <P>Hi nk-1, feel free to vote and accept the answer. thanks</P> Fri, 17 Apr 2015 23:46:43 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146029#M40751 stephane_cyrill 2015-04-17T23:46:43Z https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146030#M40752 <P>I'd just like to add a note that a reason why my 1-minute real-time window was not producing results when I went from indexing 1.5GB/day to 36GB/day was because the forwarders sending events to my indexers were, by default, configured to throttle after 256KB/second.<BR /> I changed maxKBps in limits.conf to zero in the forwarders, and the 1-minute real-time window displays updating counts now, without the need for clustering.</P> Tue, 21 Apr 2015 15:25:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-a-real-time-search-with-a-small-time-range-not-return/m-p/146030#M40752 nk-1 2015-04-21T15:25:18Z