Solved: Realtime search is very slow

sushildabare · ‎11-23-2011

When we perform All time search we get the results very quickly.
But when we search by selecting Realtime(30seconds, 1 minutes, 60 minutes etc) search is very very slow,
Is there any setting in splunk which we can set to improve this search response time for Real time searches?

Thanks|

sdwilkerson · ‎11-23-2011

Sushildabare,

I agree with Ayn's comment, that a realtime search should show events in realtime. Perhaps there are bad time (or timezone) in your data?

Choose "Real Time > All time (real-time)" entry in the TimeRangePicker pulldown" instead of one of the realtime intervals. This should show you data on the screen AS it is received. Examine your timeline. Are the times current?

If the data is the volume you expected, but the times/dates are off, then that is the answer to your problem. Of course, the you would have a new problem, which is to fix the time on the source or fix Splunk's interpretation of the time or timezone in props.conf.

Best,
Sean

View solution in original post

BenAveling · ‎11-20-2013

As per Sean's answer, real time searches never 'finish'. But they should display all the available results about as quickly as Relative searches. What they don't do is tell you that they have found all the available results - because they are still searching.

This can be particularly confusing if you use Time range picker -> All time (real-time) without realising that it is 'special' - it does not show past events, only events that occur after the search started - you'll see that the number of events matched is only, for eg, "28 of 28 events matched" - 28 is the number of events that have matched since your search started. If you were expecting more results, it can seem that it is slow, when in fact, it has actually finished.

Officially, this is a feature, even though it may not feel like one. See: http://docs.splunk.com/Documentation/Splunk/6.0/Search/Specifyrealtimewindowsinyoursearch#Real-time_...

sdwilkerson · ‎11-23-2011

Sushildabare,

I agree with Ayn's comment, that a realtime search should show events in realtime. Perhaps there are bad time (or timezone) in your data?

Choose "Real Time > All time (real-time)" entry in the TimeRangePicker pulldown" instead of one of the realtime intervals. This should show you data on the screen AS it is received. Examine your timeline. Are the times current?

If the data is the volume you expected, but the times/dates are off, then that is the answer to your problem. Of course, the you would have a new problem, which is to fix the time on the source or fix Splunk's interpretation of the time or timezone in props.conf.

Best,
Sean

sushildabare · ‎11-23-2011

Thanks Ayn and Sean for your inputs, I completely agree with Ayn, realtime searching events will be shown as they arrive in realtime.

Ayn · ‎11-23-2011

When you do realtime searching events will be shown as they arrive in realtime. How have you come to the conclusion that the search is slow? Do you know that events are arriving in a much higher rate than they are shown in the interface?

Realtime search is very slow

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!