Reporting

How to set up real-time search as saved search

yuwtennis
Communicator

Hi!

I want to set up a real-time search as a saved search , which can run as a background job.
However , reading the document , it seems that its only available on Splunk web or the CLI.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/Aboutrealtimesearches

Can someone help me out how to find the way to set up real-time search for savedsearches
from the GUI?

Thanks,
Yu

0 Karma
1 Solution

rturk
Builder

Hi Yu,

Realtime searches are handled differently to regular searches as the results are extracted and presented before the data has been indexed. As a consequence, they are very resource (CPU) intensive.

A better was to do this would be to run a scheduled search (every five minutes) that would search for any instances of events in the last 5 minutes. This gets around the possibility of not seeing events where there is a delay between the event happening, and the event being indexed (as long as the delay isn't more than 5 minutes)

Generally, realtime searches should be used sparingly (in my opinion anyway)

Here's what Splunk has to say on the matter: http://docs.splunk.com/Splexicon:Realtimealert

Hope this is of some help 🙂

View solution in original post

LukeMurphey
Champion

You can schedule real-time searches by appending "rt" to the earliest and/or latest time. Thus, "rtnow" would be real-time equivalent of now and "rt-24h" would the real-time equivalent of 24 hours in the past.

Note that real-time searches are expensive and can slow down indexing significantly (even if they are not matching many events). Therefore, avoid using them if you can.

0 Karma

LukeMurphey
Champion

It will unless you explicitly define a time-range in the view itself.

0 Karma

yuwtennis
Communicator

Hello LukeMurphey.

Thank you for the comment.

Is this timerange applied when you open up the view in the web?

Thanks,
Yu Watanabe

0 Karma

rturk
Builder

Hi Yu,

Realtime searches are handled differently to regular searches as the results are extracted and presented before the data has been indexed. As a consequence, they are very resource (CPU) intensive.

A better was to do this would be to run a scheduled search (every five minutes) that would search for any instances of events in the last 5 minutes. This gets around the possibility of not seeing events where there is a delay between the event happening, and the event being indexed (as long as the delay isn't more than 5 minutes)

Generally, realtime searches should be used sparingly (in my opinion anyway)

Here's what Splunk has to say on the matter: http://docs.splunk.com/Splexicon:Realtimealert

Hope this is of some help 🙂

yuwtennis
Communicator

Hello R.Turk.

Thank you for the reply.

The reason I want to test real time search is to use the splunk as monitoring prospect. Kind of imagining sending alerts in real time to external applications like nagios.

I will take your advice into account.

Thanks,
Yu

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...