Splunk Search
Highlighted

Combining historical and realtime searches

SplunkTrust
SplunkTrust

Is there any way to combine historical and realtime searches into a single search?

For example, I'd like to be able to search starting at (say) earliest=-5m@m and continue realtime into the future @ 1m increments.

The goal is to get a little context in your real time searches with what might have happened just before starting it.

Tags (1)
Highlighted

Re: Combining historical and realtime searches

Path Finder

AFAIK, no. See: http://www.splunk.com/base/Documentation/latest/User/RealtimeSearch#Expected_performance_and_known_l...

But, that makes me wonder if you could combine results from a historical sub-search into a real-time search. Seems like it should be possible.

Highlighted

Re: Combining historical and realtime searches

SplunkTrust
SplunkTrust

Yup, there it is in the docs - "However, you cannot run a single search on both real-time data and historical data at the same time. "

Highlighted

Re: Combining historical and realtime searches

Super Champion

Anyone have an idea on when this kind of feature could become available? This seems like a very natural type of request to me that would be very beneficial to a lot of users.

0 Karma
Highlighted

Re: Combining historical and realtime searches

Path Finder

I would love to see this as well.

0 Karma
Highlighted

Re: Combining historical and realtime searches

Motivator

Same here, I have had a LOT of clients ask about it. I end up having to create two graphs next to each other on a dashboard, one backward-looking, one forward-looking, if they don't plan on keeping the dashboard open longer than the range of the realtime search. (If they do, once events expire off the end of the realtime search, a gap in time will grow between the historical graph and the realtime. In that case I say just leave the realtime graph open and let it populate.)

0 Karma
Highlighted

Re: Combining historical and realtime searches

Communicator

is there any news in this regard?

0 Karma
Highlighted

Re: Combining historical and realtime searches

Path Finder