Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

One-Table Combining Different Search Results in Real-Time

mlorrette
Path Finder
‎08-20-2018 01:24 PM

My end goal is to show events in one table coming from multiple searches in real time. They all have the same fields. appendcols usually works but not in real-time.

My ideas were:
-Each of the real-time searches will append its results to the same CSV; a different search will display that CSV in real-time.
-Create a dashboard with a panel for each search, somehow dynamically combine them; or at least make them look combined.

There's possible a much simpler answer for this which I'm missing. Any help appreciated!

0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 01:16 PM

1) Never use appendcols. There is never a guarantee that the right items are being connected up. Also, if the searches all have the same fields, then appendcols makes no sense whatsoever. append is probably what you meant.

2) What you are doing pretty much guarantees that none of the source searches should be "real time". What splunk calls "real time" should only be used when the SLA for fixing whatever comes up is SECONDS. Instead, schedule a periodic search every 1m or 2m or 3m and you will get better performance and the same speed of viewing the data.

3) Consider a summary index. Each of your searches will scan the raw events and summarize them to the few columns that you need to know, then write them to a summary index. Your dash will read the summary index created by those other searches.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...