Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up a NEAR real time search in Splunk 6.6.3

nls7010
Path Finder
‎02-20-2019 07:10 AM

I have a client that wants to set up a "near" real time search in Splunk. Can this be done (it needs to be continuous), if so, would we need to use a cron job for searches like this or can we dong something like -5rt to rt? Or would that still be considered a "real time" search? The search needs to be run continuously to catch the errors as they come in.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arkadyz1
Builder
‎02-20-2019 08:09 AM

Anything that ends at "rt" is a real-time search. Ask yourself this: how "continuous" do you want it to be? If you want granularity up to, say, 2 seconds, you can have a bigger base search of -5m to -2s, then add to it with smaller -4s to -2s searches running every 2 seconds.

On forms and dashboards, you can set a refresh time separately on each element or globally at the top level.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nls7010
Path Finder
‎02-20-2019 10:08 AM

Their search is based off the time selection and it's all time. (index="myindex" REMOTE-DEVICE STATUS CHECK is all there is to it. If the events are greater than one they invoke the script in the $HOME/splunkforwarder/bin/scripts directory. They invoke it when the number of events is greater than zero and if it's true, then they alert and throttle the alerting for 60 minutes.

0 Karma
Reply
Solved! Jump to solution
Solution

arkadyz1
Builder
‎02-20-2019 08:09 AM

Anything that ends at "rt" is a real-time search. Ask yourself this: how "continuous" do you want it to be? If you want granularity up to, say, 2 seconds, you can have a bigger base search of -5m to -2s, then add to it with smaller -4s to -2s searches running every 2 seconds.

On forms and dashboards, you can set a refresh time separately on each element or globally at the top level.

0 Karma
Reply
Solved! Jump to solution

nls7010
Path Finder
‎02-20-2019 08:30 AM

The clients are looking for a particular phrase in their logs and want it to be a continuous search. Not certain how I would split this up into the two searches you mentioned above.

0 Karma
Reply
Solved! Jump to solution

arkadyz1
Builder
‎02-20-2019 08:44 AM

It seems like they want to react to something quickly. The question is: how quickly? They must have some "reaction time" allowed.

Another question: what are they using to launch the searches? Some kind of Splunk SDK? If yes, any searches, either one shot or regular, have "earliest_time" and "latest_time" keyword attributes that can be added. I did it in Python but I'd assume it's true in any SDK.

If they need it on a dashboard, many elements can have a refresh value. On the top level (form or dashboard tag), there is a refresh attribute which has a numerical value in seconds. A similar attribute can be in many other elements, such as table or chart.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...