Reporting

Can I trigger a saved search which triggers more frequently than 1 minute?

highsplunker
Contributor

Hey guys,
Can I trigger a saved search more frequently than 1 minute?
I have two servers configuration: an indexer and a search head.
The problem is that the schedule can get only * * * * * Cron as the most frequent, if I'm not wrong.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Not with the built-in scheduler, no. You can always trigger searches at any frequency from the outside via the REST API. In some cases you can also use real-time searches, but tread carefully as they have many pitfalls.

I'd wonder why though, what requires sub-minute responses?

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Not with the built-in scheduler, no. You can always trigger searches at any frequency from the outside via the REST API. In some cases you can also use real-time searches, but tread carefully as they have many pitfalls.

I'd wonder why though, what requires sub-minute responses?

martin_mueller
SplunkTrust
SplunkTrust

While I can't speak to the reasoning why Splunk made that decision, I see little point in having non-realtime searches launched every 15 seconds. You get all the performance impacts associated with rt searches but are 15s slower than an rt search.

Based on many Splunk users I've spoken to over the years that initially asked for fast-polling or even realtime searches, virtually all use cases didn't actually make sense with such a high frequency. Common questions include "how fast is the reaction to an alert trigger going to be?", "how fast is the data delivery going to be?", etc. - no idea how that maps to your use case though as you haven't specified that. I wouldn't use Splunk to make real-time driving decisions in a car, for example.

0 Karma

highsplunker
Contributor

Ok, thank you.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What's your use case that needs sub-minute timing?

0 Karma

highsplunker
Contributor

I'm analyzing the possibilities of the platform now. Normally we use 1 min searches as max frequent. But it's probable that I'll need to trigger a bunch of my Splunk monitoring rules every 15 or 30 seconds. And I don't understand why the Software does not allow that in the interface. Or maybe I'm missing something.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Realtime searches are the most "online" way to react to things in Splunk, not scheduled polling.

0 Karma

highsplunker
Contributor

Thanks Martin. The thing is that I heard real time searches are not really reliable. Not sure if got it right though.

0 Karma

highsplunker
Contributor

Ok. REST API is configured, it's good.
To your question: I'd like to see what kind of "almost online" monitoring is possible with Splunk.

I was wondering why it's available to trigger search head via REST API quicker than 1 minute, but not available from the interface itself.

Thanks anyway.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...