Knowledge Management

Rrealtime_schedule in SavedSearches.conf, is this what I'm looking for?


I would like the savedsearch to run in real time, basically populate the saved search I have set in savedsearches.conf to be populated in realtime as more and more data gets forwarded to the raw index.

Is the realtime_schedule = [0|1] I find in the savedsearches.conf what I'm looking for in this case?, I have read the config template about it here, but more real life information about what to expect from this would be great!

0 Karma


No, this does not determine whether your scheduled search runs in realtime. Per the saved searches.conf.spec:

realtime_schedule = [0|1]
* Controls the way the scheduler computes the next execution time of a scheduled search.
* If this value is set to 1, the scheduler bases its determination of the next scheduled search
execution time on the current time.
* If this value is set to 0, the scheduler bases its determination of the next scheduled search
on the last search execution time. This is called continuous scheduling.
** If set to 1, the scheduler might skip some execution periods to make sure that the scheduler
is executing the searches running over the most recent time range.
If set to 0, the scheduler never skips scheduled execution periods. However, the execution
of the saved search might fall behind depending on the scheduler's load. Use continuous
scheduling whenever you enable the summary index option.**
* The scheduler tries to execute searches that have realtime_schedule set to 1 before it
executes searches that have continuous scheduling (realtime_schedule = 0).
* Defaults to 1

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...