Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Querying a Real Time search

atreece
Path Finder
‎02-16-2012 01:45 PM

I am trying to make an external dashboard for splunk that needs to be real time. At the moment, all we can do is make a script on our end to resend the search every so often and refresh the page for the new results.
What I want to know, however, is if there is a way to query splunk to make a real time search.
In other words, can a real time search be executed from some syntax in the search string? Without using the time range picker whatsoever?

EDIT: I have tried to use "earliest=rt-10m latest=rt" but got an error saying: Invalid value "rt-5m" for time term 'earliest'

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 08:46 AM

Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:

foobar=fizbaz earliest=rt-5 latest=rt

UPDATE: I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 08:46 AM

Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:

foobar=fizbaz earliest=rt-5 latest=rt

UPDATE: I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?

Reply
Solved! Jump to solution

mindtouch_adria
Explorer
‎10-02-2016 10:30 PM

Thank you for the helpful answer. If Real-time search can only be set at the API level, what is a good example to do this? I am using the Python SDK and I would like to find a way to setup Real-time search. I am starting with the "search.py" example.

Thank you

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-03-2016 12:21 PM

This should really be an independent question, though probably this answer should link to that information.

When interacting at the api level, the client has an explicitly choice of the first command, and can select rtsearch instead of search. However, you'll have to select different values for et / lt typically, such as the above discussed rt-5m.

0 Karma
Reply
Solved! Jump to solution

mindtouch_adria
Explorer
‎10-03-2016 03:09 PM

Ok, thanks jrodman. I'll create a new question.

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 11:37 AM

ok, thank you

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 11:26 AM

See my updated post above.

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 11:02 AM

I get the same for "rt-5"

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 11:01 AM

Invalid value "rt-5m" for time term 'earliest'

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 10:57 AM

What is the error that you receive?

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 10:39 AM

That's exactly what I thought should work, but when I tried it, I got an error.
Is there an additional parameter I need? or would this involve the config files?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...