Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set a realtime search to constantly run even with no attached dashboard

hhGA
Communicator
‎07-01-2016 02:08 AM

Hi,

I am trying to set up a realtime search which is running 24/7 but without having a dashboard attached to it. The reason for this is that I would like to retrieve data periodically using the REST API.

How do I go about getting a real time search to run indefinitely?

Thanks in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-04-2016 08:57 AM

If you put a real-time search into a dahsboard panel and save the panel in a dashboard, the search should run forever.

Alternatively try save your real-time search and scheduling the search to run every hour. I suspect that it will only run once (but check after an hour) and when your search head (or service) restarts, within an hour, the search should be running again.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-01-2016 06:17 AM

Per your comments on cusello's answer below, can we step back a second and make sure we're all trying to answer the question that needs answering? There seems to be a bit more under the hood that it might appear at first glance.

What did you mean by "runs too slowly to be scheduled" - just the lag is deemed to great if it runs once per minute?

What did you mean by "retrieve data periodically"? Periodically != RT.

How do those two things fit together? Periodically retrieve RT information? Why not just retrieve up to date information at the time you bang into the REST API?

If you could more fully describe the situation, perhaps we'll be able to come up with better, more complete solutions.

Thanks!

0 Karma
Reply

hhGA
Communicator
‎07-04-2016 03:25 AM

Hi rich7177,

The results of the query are required every minute, however, the search takes around 10 minutes to complete.

There will be over 50 clients of this search which require the results via the REST API. Each client will poll Splunk every minute which, even if the search was quicker, would mean 50 searches a minute.

I thought a better way to do it would be to run a search in real time and then have the clients poll Splunk for the latest result seat from the search.

Thanks in advance,

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2016 05:49 AM

Just start it and select Send Job to Background item in the Jobs menu under the timeline on the right side.

0 Karma
Reply

hhGA
Communicator
‎07-04-2016 03:21 AM

Hi Woodock,

The 'Send Job to Background' button is greyed out.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-01-2016 02:31 AM

Try to execute the same search using a scheduled report or a realtime alert!
what do you want to extract with the search?
Bye.
Giuseppe

0 Karma
Reply

hhGA
Communicator
‎07-01-2016 02:49 AM

Hi Guiseppe,

The report is quite heavy and takes some time to run. Scheduling the report will no provide results fast enough for our requirements.

I have set the search up as a real time alert but am unable to extract the results from this.

I am trying to extract the entire result of the search with the REST calls.

Thanks

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...