Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Realtime search is very slow

sushildabare
Path Finder
‎11-23-2011 01:23 AM

When we perform All time search we get the results very quickly.
But when we search by selecting Realtime(30seconds, 1 minutes, 60 minutes etc) search is very very slow,
Is there any setting in splunk which we can set to improve this search response time for Real time searches?

Thanks|

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎11-23-2011 03:59 AM

Sushildabare,

I agree with Ayn's comment, that a realtime search should show events in realtime. Perhaps there are bad time (or timezone) in your data?

Choose "Real Time > All time (real-time)" entry in the TimeRangePicker pulldown" instead of one of the realtime intervals. This should show you data on the screen AS it is received. Examine your timeline. Are the times current?

If the data is the volume you expected, but the times/dates are off, then that is the answer to your problem. Of course, the you would have a new problem, which is to fix the time on the source or fix Splunk's interpretation of the time or timezone in props.conf.

Best,
Sean

View solution in original post

Reply
Solved! Jump to solution

BenAveling
Path Finder
‎11-20-2013 03:47 PM

As per Sean's answer, real time searches never 'finish'. But they should display all the available results about as quickly as Relative searches. What they don't do is tell you that they have found all the available results - because they are still searching.

This can be particularly confusing if you use Time range picker -> All time (real-time) without realising that it is 'special' - it does not show past events, only events that occur after the search started - you'll see that the number of events matched is only, for eg, "28 of 28 events matched" - 28 is the number of events that have matched since your search started. If you were expecting more results, it can seem that it is slow, when in fact, it has actually finished.

Officially, this is a feature, even though it may not feel like one. See: http://docs.splunk.com/Documentation/Splunk/6.0/Search/Specifyrealtimewindowsinyoursearch#Real-time_...

0 Karma
Reply
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎11-23-2011 03:59 AM

Sushildabare,

I agree with Ayn's comment, that a realtime search should show events in realtime. Perhaps there are bad time (or timezone) in your data?

Choose "Real Time > All time (real-time)" entry in the TimeRangePicker pulldown" instead of one of the realtime intervals. This should show you data on the screen AS it is received. Examine your timeline. Are the times current?

If the data is the volume you expected, but the times/dates are off, then that is the answer to your problem. Of course, the you would have a new problem, which is to fix the time on the source or fix Splunk's interpretation of the time or timezone in props.conf.

Best,
Sean

Reply
Solved! Jump to solution

sushildabare
Path Finder
‎11-23-2011 07:39 AM

Thanks Ayn and Sean for your inputs, I completely agree with Ayn, realtime searching events will be shown as they arrive in realtime.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎11-23-2011 02:09 AM

When you do realtime searching events will be shown as they arrive in realtime. How have you come to the conclusion that the search is slow? Do you know that events are arriving in a much higher rate than they are shown in the interface?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...