- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- How to set up real-time search as saved search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I want to set up a real-time search as a saved search , which can run as a background job.
However , reading the document , it seems that its only available on Splunk web or the CLI.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/Aboutrealtimesearches
Can someone help me out how to find the way to set up real-time search for savedsearches
from the GUI?
Thanks,
Yu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yu,
Realtime searches are handled differently to regular searches as the results are extracted and presented before the data has been indexed. As a consequence, they are very resource (CPU) intensive.
A better was to do this would be to run a scheduled search (every five minutes) that would search for any instances of events in the last 5 minutes. This gets around the possibility of not seeing events where there is a delay between the event happening, and the event being indexed (as long as the delay isn't more than 5 minutes)
Generally, realtime searches should be used sparingly (in my opinion anyway)
Here's what Splunk has to say on the matter: http://docs.splunk.com/Splexicon:Realtimealert
Hope this is of some help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can schedule real-time searches by appending "rt" to the earliest and/or latest time. Thus, "rtnow" would be real-time equivalent of now and "rt-24h" would the real-time equivalent of 24 hours in the past.
Note that real-time searches are expensive and can slow down indexing significantly (even if they are not matching many events). Therefore, avoid using them if you can.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will unless you explicitly define a time-range in the view itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello LukeMurphey.
Thank you for the comment.
Is this timerange applied when you open up the view in the web?
Thanks,
Yu Watanabe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yu,
Realtime searches are handled differently to regular searches as the results are extracted and presented before the data has been indexed. As a consequence, they are very resource (CPU) intensive.
A better was to do this would be to run a scheduled search (every five minutes) that would search for any instances of events in the last 5 minutes. This gets around the possibility of not seeing events where there is a delay between the event happening, and the event being indexed (as long as the delay isn't more than 5 minutes)
Generally, realtime searches should be used sparingly (in my opinion anyway)
Here's what Splunk has to say on the matter: http://docs.splunk.com/Splexicon:Realtimealert
Hope this is of some help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello R.Turk.
Thank you for the reply.
The reason I want to test real time search is to use the splunk as monitoring prospect. Kind of imagining sending alerts in real time to external applications like nagios.
I will take your advice into account.
Thanks,
Yu
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
