https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28904#M5783 <P><EM>bump</EM> I hate adding a "me too" for a response...</P> Fri, 08 Nov 2013 17:03:08 GMT dglinder 2013-11-08T17:03:08Z https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28902#M5781 <P>As far as efficiency, we were told that realtime searches take "a fraction" of a CPU core per search. Does it matter if someone is doing realtime-all time, or realtime-5min/30 min window?</P> <P>I was looking at <A href="http://www.splunk.com/view/real-time-in-splunk/SP-CAAAFD7">http://www.splunk.com/view/real-time-in-splunk/SP-CAAAFD7</A> but wasn’t clear.</P> <P>Just confirming, if you do a rt30 minute search and you look for an event that follows another event and those events are &gt;30 minutes apart, you wouldn’t see anything. </P> <P>Also, if you do realtime search for 30 minute window and events come into Splunk with different time greater than 30 minutes (e.g. timezone or bad CPU clock time) you won't see those as either. </P> <P>Thanks</P> Fri, 09 Nov 2012 15:27:21 GMT https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28902#M5781 troywollenslege 2012-11-09T15:27:21Z https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28903#M5782 <P>I would like to know the answer to this as well if anyone knows.</P> Wed, 10 Apr 2013 00:36:59 GMT https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28903#M5782 phoenixdigital 2013-04-10T00:36:59Z https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28904#M5783 <P><EM>bump</EM> I hate adding a "me too" for a response...</P> Fri, 08 Nov 2013 17:03:08 GMT https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28904#M5783 dglinder 2013-11-08T17:03:08Z https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28905#M5784 <P>Windowed Real Time: uses earliesttime=rt-1 latesttime=rt<BR /> Non Windowed Real Time: earliesttime=rt latesttime=rt</P> <P>Let me share my experience so far on this matter:<BR /> They can be compared with these parameters:<BR /> 1.cpu 2.ram 3. diskspace 4. #events 5. querytime 6. overhead</P> <P>Windowed RT<BR /> cpu-fraction of core per search as above<BR /> events-Query returns mostly fixed number of events, with some marginal fluctuation<BR /> querytime-mostly the same due to event count<BR /> ram-mostly fixed amount with some fluctuations due to above events count<BR /> diskspace for query-increasing and can exhaust the disk space quota per user<BR /> overheads-Window management overhead</P> <P>Non Window RT<BR /> cpu-fraction of core per search as above<BR /> events-Query returns continuously increasing number of events since its all real time and the events continue to increase over time<BR /> querytime- as the event counts increases, the query run time also increase due to processing more events<BR /> ram-increasing amount of ram consumed as the event count keeps increasing<BR /> diskspace for query- same as windowed,increasing and can exhaust the disk space quota per user<BR /> overheads-No window management overhead, uses all events in real time</P> <P>In comparison, Windowed RT preferable even though there is rolling window management overheads due to above plus points. The only minus point is the disk space keeps on increasing and can exhaust the quota. Hence periodically the windowed real time query can be disabled and enabled to clean up the disk space used and start over. </P> Mon, 07 Apr 2014 00:04:29 GMT https://community.splunk.com/t5/Splunk-Search/Realtime-searches-efficiency-results/m-p/28905#M5784 iTechEvent 2014-04-07T00:04:29Z