Is there any benefit to scheduling a saved real-time search if I don't configure any alerts/etc for it?
With non-real-time scheduled searches I understand that I get the benefit of caching the latest data so dashboards & etc load fast, even if I don't have any alerts configured for it. But with real-time scheduled searches is anything cached, or anything like that?
Am I just burning up CPU by running real-time scheduled saved searches that don't have any alert actions?
A little testing seems to show that the benefit of "scheduling" real-time searches is that historical data on dashboards (the non-real-time data) is cached and loads instantaneously when I pull up the dashboard. For our case, the cost of always running the real-time search, even when someone isn't viewing the dashboard, doesn't seem worth the quicker load of historical data.
On the other hand, my testing seems to show that the benefit of having a saved (but doesn't have to be scheduled) real-time search for dashboards is that everyone who loads the dashboard will share the same real-time search job, which can be way more efficient. (thanks gkanapathy)
A little testing seems to show that the benefit of "scheduling" real-time searches is that historical data on dashboards (the non-real-time data) is cached and loads instantaneously when I pull up the dashboard. For our case, the cost of always running the real-time search, even when someone isn't viewing the dashboard, doesn't seem worth the quicker load of historical data.
On the other hand, my testing seems to show that the benefit of having a saved (but doesn't have to be scheduled) real-time search for dashboards is that everyone who loads the dashboard will share the same real-time search job, which can be way more efficient. (thanks gkanapathy)
If it is to be displayed on dashboards that are viewed in more than one place at a time, then having it scheduled allows all the different dashboards and instances of dashboards to use the same scheduled search.
I have just labbed this and found that splunk runs separate processes for each account looking at the RT dashboard regardless of whether it is a saved RT or a scheduled RT populating it.
Using splunk 5.0.2
Doing some testing, I seem to get the same sharing benefits as long as it's "saved" (doesn't have to be "scheduled"). i.e., looking at the "Jobs" window for all running jobs from all users, if I load the dashboard in multiple browsers with multiple user accounts I only see one job (the one from the first user to load the dashboard) show up.
So if it's "saved" but not "scheduled" then dashboards won't share the search?