Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexed Real Time Search

bwalden_splunk
Splunk Employee
Splunk Employee
‎04-16-2015 08:41 AM

Some questions about indexed rt (http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Aboutrealtimesearches#Indexed_real-time_sea...) apparently i can't post a link--so search for indexed realtime at splunk docs if you don't know what it is.

  1. the docs says setting indexed_realtime_use_by_default = true sets indexed rt to be the "default" behavior. if this is enabled, is there still a way I can run "normal", pre-indexer rt searches, perhaps with some search argument or command?
  2. is there a way to make indexed rt the default for a role, but allow other roles to use normal rt?
  3. are there any guidelines on best practices for setting indexed_realtime_default_span?

thanks,
bw

Tags (1)
Reply

tsteens
Explorer
‎11-25-2015 03:49 AM

You can define this on a savedserach. In savedsearches.conf add (under the stanza for your search):
dispatch.indexedRealtime =
* Specifies whether to use indexed-realtime mode when doing realtime searches.
* Defaults to false

As far as I know you can not do this per role.

Ref:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Savedsearchesconf

0 Karma
Reply

masonmorales
Influencer
‎04-16-2015 11:17 AM

the docs says setting
indexed_realtime_use_by_default = true
sets indexed rt to be the "default"
behavior. if this is enabled, is there
still a way I can run "normal",
pre-indexer rt searches, perhaps with
some search argument or command?

Not that I'm aware of. I believe it's only one or the other.

is there a way to make indexed rt the
default for a role, but allow other
roles to use normal rt?

I'm not aware of a way to apply limits.conf parameters to specific roles. I'm not seeing anything about that in its documentation either (http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Limitsconf ).

are there any guidelines on best
practices for setting
indexed_realtime_default_span?

None that I can find. If you don't mind me asking, what is your use case? Best practice is actually to use scheduled searches over real-time searches because real-time searches require a dedicated core.

Reply

bwalden_splunk
Splunk Employee
Splunk Employee
‎04-16-2015 11:51 AM

the use case is speculative, but I can imagine a customer who likes the resource-saving abilities of indexed realtime, but would like the ability to override it when needed. the default 60 second delay does not go over well with folks running an operations center and wanting an alert to fire as close to realtime as possible. So they'd desire the ability to run "real" realtime searches if needed.

Reply

masonmorales
Influencer
‎04-22-2015 01:23 PM

Understandable, but you can't schedule a search in Splunk to run more frequently than once every 60 seconds, and best practices suggest that you wouldn't want to. See: http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Definescheduledalerts#Best_practices_for_sch...

With that aside, you could probably write a custom script that runs a search over the API however frequently you want.

If you really want real-time searches, you can run them, but keep in mind that each real-time search consumes 1 CPU core.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...