Re: How do real-time searches identify both index ...

splunkn · ‎12-10-2015

I have gone through the Splunk Docs. It's saying that real-time search is basically used to search events before they get indexed. However, I need a few clarifications on this one below.

RT search processes un-indexed data. So, how could it identify the both index-time and search-time fields? Will it process the field extractions once it finds a match in incoming events?

The data is not indexed yet. So how it could look for its sourcetype, source, and host since all are index-time only?

Could someone explain in detail?

Thanks in advance

renjith_nair · ‎12-11-2015

You are correct in that real-time searches grab the data before it hits the index queue, however real-time searches do have access to search time field extractions which happen in the parsing queue.

When events reach splunk, it goes thru different stages/pipeline which is explained detailed here

http://docs.splunk.com/Documentation/Splunk/6.2.0/Deploy/Datapipeline

Also look at http://wiki.splunk.com/Community:HowIndexingWorks

A good read about real time searches are

http://docs.splunk.com/Documentation/Splunk/6.1/Search/Aboutrealtimesearches
http://docs.splunk.com/Documentation/Splunk/6.1/Search/RealtimesearchesandreportsinSplunkWeb

Happy Splunking!

How do real-time searches identify both index and search-time fields if it processes data that hasn't been indexed yet?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms