Splunk Search

Help understanding real time searches

astatrial
Contributor

Hello everyone,
I think I don't fully understand the concept of real-time searches.
If I configure a search as a real-time search and also configure a cron schedule to run every hour when the search will run?
(considering logs are being injected into Splunk all the time)
I have noticed that the default of real-time is every 5 minutes, but does it changed when I configure other cron?

Thanks!

0 Karma

astatrial
Contributor

alt text

0 Karma

amitm05
Builder

@astatrial

https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutrealtimesearches
https://docs.splunk.com/Documentation/Splunk/7.3.0/Alert/DefineRealTimeAlerts

The above will be good reads to start with understanding RT searches and alerts in Splunk.
To answer your ques - Yes, in your case as the data is being injected into splunk all the time, a real time search keeps looking at the incoming steam of data continuously as well.

Now having said that realtime search runs continuously, so having a cron (rerun search at fixed interval) does not make much of a sense. For real-time saved searches, as soon as you click "Save", it will start running and KEEP running.
You'd find that while setting up the alert, you'd not find any Cron setting option on the GUI if you try to set a Real Time alert.

Hope this helps. Let me know.

0 Karma

astatrial
Contributor

Hi,
Thanks very much.
But this is the problem, i have an option to configure cron schedule even for real time search. I attached a picture now, so you can see it.

0 Karma

amitm05
Builder

Which version of Splunk are you on ?

The point is not that whether you are getting the option from GUI or not. Even if one is not getting it, I guess it can even then be given from the conf directly.
It is about the essence of it. In real time, your rolling window period keeps on adjusting the new search time window which means that at real time you are getting the coverage as per your defined criteria.

Still setting the cron job would keep on filling your dispatch and hit the performance and you will have to set a pretty low job expiration time because you would not want too many RT searches running Live on your system when all those jobs would be returning you with the same alert result.


If the cron time has to be filled - You must give it a 24 hour cron, as the default expiration time of searches in dispatch is 24 hours (if you have not changed it to something else). So basically at the run time of every new search you would expire your previous one.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@astatrial,

Real time searches run continuously and scan events as the events arrive for indexing. It periodically evaluates the scanned events against your search criteria to find actual matches within the sliding time range window that you have defined for the search.
It brings you the live events even before it gets indexed unless Indexed real-time search is configured.

Here is a detailed explanation of Real-time search mechanics

A scheduled search is different where you schedule a search for every lets say 1 hour. This search runs every hour and searches for the time window you have configured and bring the matching results.

Please be aware of the performance concerns while using real time searches.

Refer to this discussion for more details : Why are realtime searches disliked in the Splunk world?

Happy Splunking!
0 Karma

astatrial
Contributor

Hi,
Thanks for the reply.
I get that real-time searches are running on events as they arrive , but what if i configure a real-time search and also configure a cron schedule ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...