Solved: Re: Realtime saved search on dashboard

sc0tt · ‎09-20-2013

I've come across several posts about this topic but I can't seem to find a good example of how to get this to work. I want to create a realtime saved search for the current day on a dashboard so that it doesn't have to run each time the dashboard is opened. I created a realtime search and scheduled it with the time as rt-0d@d and rt but when I view the results and use the HiddenSavedSearch module it looks like it is only showing the most recent streamed results and not from the beginning of the day.

Am I missing something? How can I get this to work?

nmistry_splunk · ‎09-27-2013

For performance results, Splunk does not perform back fill for scheduled realtime searches. If you want it backfill, you will have to set dispatch.rt_backfill=1 in your search definition in savedsearches.conf

View solution in original post

nmistry_splunk · ‎09-27-2013

For performance results, Splunk does not perform back fill for scheduled realtime searches. If you want it backfill, you will have to set dispatch.rt_backfill=1 in your search definition in savedsearches.conf

sc0tt · ‎10-08-2013

I needed to include enableSched = 1 as well and restart Splunk for the change to take. Saving the schedule from the reports menu removed the backfill flag.

sc0tt · ‎10-08-2013

I have included dispatch.rt_backfill=1 in my savedsearches.conf but it doesn't seem like this is working. Any ideas? I'm using Splunk 6 if that matters.

sc0tt · ‎09-30-2013

Thanks for your help.

Realtime saved search on dashboard

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms