- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Is there any reason to schedule a real-time search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any benefit to scheduling a saved real-time search if I don't configure any alerts/etc for it?
With non-real-time scheduled searches I understand that I get the benefit of caching the latest data so dashboards & etc load fast, even if I don't have any alerts configured for it. But with real-time scheduled searches is anything cached, or anything like that?
Am I just burning up CPU by running real-time scheduled saved searches that don't have any alert actions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A little testing seems to show that the benefit of "scheduling" real-time searches is that historical data on dashboards (the non-real-time data) is cached and loads instantaneously when I pull up the dashboard. For our case, the cost of always running the real-time search, even when someone isn't viewing the dashboard, doesn't seem worth the quicker load of historical data.
On the other hand, my testing seems to show that the benefit of having a saved (but doesn't have to be scheduled) real-time search for dashboards is that everyone who loads the dashboard will share the same real-time search job, which can be way more efficient. (thanks gkanapathy)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A little testing seems to show that the benefit of "scheduling" real-time searches is that historical data on dashboards (the non-real-time data) is cached and loads instantaneously when I pull up the dashboard. For our case, the cost of always running the real-time search, even when someone isn't viewing the dashboard, doesn't seem worth the quicker load of historical data.
On the other hand, my testing seems to show that the benefit of having a saved (but doesn't have to be scheduled) real-time search for dashboards is that everyone who loads the dashboard will share the same real-time search job, which can be way more efficient. (thanks gkanapathy)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is to be displayed on dashboards that are viewed in more than one place at a time, then having it scheduled allows all the different dashboards and instances of dashboards to use the same scheduled search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have just labbed this and found that splunk runs separate processes for each account looking at the RT dashboard regardless of whether it is a saved RT or a scheduled RT populating it.
Using splunk 5.0.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doing some testing, I seem to get the same sharing benefits as long as it's "saved" (doesn't have to be "scheduled"). i.e., looking at the "Jobs" window for all running jobs from all users, if I load the dashboard in multiple browsers with multiple user accounts I only see one job (the one from the first user to load the dashboard) show up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if it's "saved" but not "scheduled" then dashboards won't share the search?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
