Splunk Search

How to replace a real time search with a historical search without impacting the visualization that is based on the real time search?

Path Finder


My management (and me as well, of course) loves the way the visualizations for real time searches look. But from a system administration perspective, it's a nightmare, as we are all well aware of the impact real time searches have on the system.

To clarify, a real time search, when it updates its data, seamlessly and continuously transforms the current data point to the next data point as new data streams through Splunk. However, if we use a historical search with an auto-refresh, there is sort of 'flash' of blank space as the search runs and populates the visualization with the newly retrieved data.

I am looking for a solution to replace the real time searches with a historical search without impacting the visualization - in other words, a historical search that displays like a real time search (only, of course without the continual updates to the values).

Is this possible, has any one tried this or have any ideas? Again, the idea is to give management the 'smooth' visualizations they have come to expect from the real time searches without having to actually run a real time search.

Joel B

0 Karma

Splunk Employee
Splunk Employee

May I suggest you look at indexed_real-time: http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutrealtimesearches

The number of concurrent real-time searches can greatly affect indexing performance. To lessen the impact on the indexer, you can enable indexed real-time search. This runs the search like a historical search, but also continually updates it with new events as they appear on disk. To enable indexed real-time search as the default behavior for your real-time searches, edit the limits.conf stanza called realtime and set indexed_realtime_use_by_default = true. Indexed real-time search is used when up-to-the-second accuracy is not needed. The results returned by indexed real-time search will always lag behind a real-time search. You can control the number of seconds of lag with the indexed_realtime_disk_sync_delay = setting. By default, this delay is 60 seconds.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...