Is there any way to combine historical and realtime searches into a single search?
For example, I'd like to be able to search starting at (say) earliest=-5m@m and continue realtime into the future @ 1m increments.
The goal is to get a little context in your real time searches with what might have happened just before starting it.
This is now available as of Splunk 4.3
http://docs.splunk.com/Documentation/Splunk/4.3/User/RealtimeSearch#Real-time_backfill
This is now available as of Splunk 4.3
http://docs.splunk.com/Documentation/Splunk/4.3/User/RealtimeSearch#Real-time_backfill
is there any news in this regard?
AFAIK, no. See: http://www.splunk.com/base/Documentation/latest/User/RealtimeSearch#Expected_performance_and_known_l...
But, that makes me wonder if you could combine results from a historical sub-search into a real-time search. Seems like it should be possible.
Same here, I have had a LOT of clients ask about it. I end up having to create two graphs next to each other on a dashboard, one backward-looking, one forward-looking, if they don't plan on keeping the dashboard open longer than the range of the realtime search. (If they do, once events expire off the end of the realtime search, a gap in time will grow between the historical graph and the realtime. In that case I say just leave the realtime graph open and let it populate.)
I would love to see this as well.
Anyone have an idea on when this kind of feature could become available? This seems like a very natural type of request to me that would be very beneficial to a lot of users.
Yup, there it is in the docs - "However, you cannot run a single search on both real-time data and historical data at the same time. "