Re: Display Real Time Calculations Without a Searc...

_dave_b · ‎12-30-2016

Hello,
I previously posted a question* about Real Time searches, and, thanks to the answers, I was able to achieve what I wanted with my dashboard. However, Real Time searches are expensive. Is there any way to continuously get the current (server) time and use it to perform calculations without performing a Real Time search?

* - Question located at http://answers.splunk.com/answers/484057/continuous-display-of-time-since-event.html

Thanks for your help!

gcusello · ‎12-30-2016

Hi _dave_b,
I I posted in the previous answer, you can also refresh your dashboard: from my experience,, this could be useful under two conditions:

if you're using this dashboard for a wallpaper and not for a static dashboard (it's less useful, if you're using a search dashboard, that the dashboard changes when you're see results!),
if your search isn't slow.

Otherwise, I think that real time searches are the most efficient way to display real time events.

Every way, you can to refresh your dashboard inserting in the <form> row the refresh time <form refresh="30"> (http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/PanelreferenceforSimplifiedXML#Dashboards_and_...) or only one panel <option name="refresh.auto.interval">60</option>(http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML).

Bye.
Giuseppe

ddrillic · ‎12-30-2016

You should probably switch to alerts...

niketn · ‎12-30-2016

Did you look at my answer for your previous post where you can use use historical search but refresh every periodic interval like 5 minutes? It was option 2 where you did not have to use Real Time Searches.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Display Real Time Calculations Without a Search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes