Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set a realtime search to constantly run even with no attached dashboard

hhGA
Communicator
‎07-01-2016 02:08 AM

Hi,

I am trying to set up a realtime search which is running 24/7 but without having a dashboard attached to it. The reason for this is that I would like to retrieve data periodically using the REST API.

How do I go about getting a real time search to run indefinitely?

Thanks in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-04-2016 08:57 AM

If you put a real-time search into a dahsboard panel and save the panel in a dashboard, the search should run forever.

Alternatively try save your real-time search and scheduling the search to run every hour. I suspect that it will only run once (but check after an hour) and when your search head (or service) restarts, within an hour, the search should be running again.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-01-2016 06:17 AM

Per your comments on cusello's answer below, can we step back a second and make sure we're all trying to answer the question that needs answering? There seems to be a bit more under the hood that it might appear at first glance.

What did you mean by "runs too slowly to be scheduled" - just the lag is deemed to great if it runs once per minute?

What did you mean by "retrieve data periodically"? Periodically != RT.

How do those two things fit together? Periodically retrieve RT information? Why not just retrieve up to date information at the time you bang into the REST API?

If you could more fully describe the situation, perhaps we'll be able to come up with better, more complete solutions.

Thanks!

0 Karma
Reply

hhGA
Communicator
‎07-04-2016 03:25 AM

Hi rich7177,

The results of the query are required every minute, however, the search takes around 10 minutes to complete.

There will be over 50 clients of this search which require the results via the REST API. Each client will poll Splunk every minute which, even if the search was quicker, would mean 50 searches a minute.

I thought a better way to do it would be to run a search in real time and then have the clients poll Splunk for the latest result seat from the search.

Thanks in advance,

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2016 05:49 AM

Just start it and select Send Job to Background item in the Jobs menu under the timeline on the right side.

0 Karma
Reply

hhGA
Communicator
‎07-04-2016 03:21 AM

Hi Woodock,

The 'Send Job to Background' button is greyed out.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-01-2016 02:31 AM

Try to execute the same search using a scheduled report or a realtime alert!
what do you want to extract with the search?
Bye.
Giuseppe

0 Karma
Reply

hhGA
Communicator
‎07-01-2016 02:49 AM

Hi Guiseppe,

The report is quite heavy and takes some time to run. Scheduling the report will no provide results fast enough for our requirements.

I have set the search up as a real time alert but am unable to extract the results from this.

I am trying to extract the entire result of the search with the REST calls.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...