topic Re: restrict scheduled real-time searches? in Splunk Search

restrict scheduled real-time searches?

a212830 — Mon, 16 Dec 2013 20:08:42 GMT

Hi,

Is it possible to give people the ability to execute, but not schedule real-time searches?

Re: restrict scheduled real-time searches?

jtrucks — Mon, 16 Dec 2013 20:11:45 GMT

Yes! In the Access Controls -> Roles -> Capabilities box, there is both rtsearch and schedule_rtsearch permissions. Give a role rtsearch and not schedule_rtsearch to do this.

Re: restrict scheduled real-time searches?

a212830 — Mon, 16 Dec 2013 20:27:47 GMT

AWESOME! Oh, lordy, lordy, lordy, that makes my day.

Re: restrict scheduled real-time searches?

jtrucks — Mon, 16 Dec 2013 20:31:37 GMT

Don't forget to mark it as answered 🙂

Glad I could help!

Re: restrict scheduled real-time searches?

a212830 — Mon, 16 Dec 2013 20:35:14 GMT

So, here's part II: why would anyone need to do a real-time search? I noticed searches that have a start time and an end time of "rt". What does that bring back? Seems like it would never end...

Re: restrict scheduled real-time searches?

jtrucks — Mon, 16 Dec 2013 20:40:30 GMT

It gives you all the results in a sliding window. If you have an active dashboard or if you are waiting for an event to trigger for testing something, a RT search with a 5 minute window might be quite useful. Also, scheduling a RT search means you get instant alert triggers for any conditions that should be met. This means within seconds of the matching criteria being written to the indexes, an alert is fired. Most people don't need anything better than a scheduled search running every five minutes or even every minute that looks back that five minutes or single minute, though.

Re: restrict scheduled real-time searches?

a212830 — Mon, 16 Dec 2013 22:53:30 GMT

OK, but where does that 5 minute window come from, is someone puts "rt" for the start and end times for a schedule search?

Re: restrict scheduled real-time searches?

jtrucks — Mon, 16 Dec 2013 22:58:04 GMT

That 5 minute window is sliding. It is constantly moving as the search is updated every second or so. Read http://docs.splunk.com/Documentation/Splunk/6.0/Search/Aboutrealtimesearches#Real-time_search_mechanics for exactly how it works.