Knowledge Management

Rrealtime_schedule in SavedSearches.conf, is this what I'm looking for?


I would like the savedsearch to run in real time, basically populate the saved search I have set in savedsearches.conf to be populated in realtime as more and more data gets forwarded to the raw index.

Is the realtime_schedule = [0|1] I find in the savedsearches.conf what I'm looking for in this case?, I have read the config template about it here, but more real life information about what to expect from this would be great!

0 Karma


No, this does not determine whether your scheduled search runs in realtime. Per the saved searches.conf.spec:

realtime_schedule = [0|1]
* Controls the way the scheduler computes the next execution time of a scheduled search.
* If this value is set to 1, the scheduler bases its determination of the next scheduled search
execution time on the current time.
* If this value is set to 0, the scheduler bases its determination of the next scheduled search
on the last search execution time. This is called continuous scheduling.
** If set to 1, the scheduler might skip some execution periods to make sure that the scheduler
is executing the searches running over the most recent time range.
If set to 0, the scheduler never skips scheduled execution periods. However, the execution
of the saved search might fall behind depending on the scheduler's load. Use continuous
scheduling whenever you enable the summary index option.**
* The scheduler tries to execute searches that have realtime_schedule set to 1 before it
executes searches that have continuous scheduling (realtime_schedule = 0).
* Defaults to 1

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...