Splunk Search

Non-windowed realtime search

Explorer

On page 62 of the Splunk Search manual, it mentions that: "Windowed real-time searches are more expensive than non-windowed." And: "If your windowed search does not display the expected number of events, try a non-windowed search."

From what I understand, when you specify a time range in the Realtime search query, that makes it a "windowed" search. How do I run a non-windowed search in that case? I am simply interested in reading the newest events coming into the system, without doing any buffering on the server side. I am using the Java SDK for this.

Cheers

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You'll get a non-windowed realtime search by setting earliest_time=rt and latest_time=rt.

View solution in original post

SplunkTrust
SplunkTrust

You'll get a non-windowed realtime search by setting earliest_time=rt and latest_time=rt.

View solution in original post

SplunkTrust
SplunkTrust

There is a realtimebuffer of 10000 defined in http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/limitsconf - I'm not sure if that's relevant for you though because that setting mentions splunkweb. There's also a queuesize of 10000, maybe more.

0 Karma

Explorer

Thanks Martin. Do you know if there is a rate limit for the number of events forwarded to a realtime query?

0 Karma