Splunk Search

Querying a Real Time search

Path Finder

I am trying to make an external dashboard for splunk that needs to be real time. At the moment, all we can do is make a script on our end to resend the search every so often and refresh the page for the new results.
What I want to know, however, is if there is a way to query splunk to make a real time search.
In other words, can a real time search be executed from some syntax in the search string? Without using the time range picker whatsoever?

EDIT: I have tried to use "earliest=rt-10m latest=rt" but got an error saying: Invalid value "rt-5m" for time term 'earliest'

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:

foobar=fizbaz earliest=rt-5 latest=rt

UPDATE: I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?

View solution in original post

Splunk Employee
Splunk Employee

Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:

foobar=fizbaz earliest=rt-5 latest=rt

UPDATE: I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?

View solution in original post

Thank you for the helpful answer. If Real-time search can only be set at the API level, what is a good example to do this? I am using the Python SDK and I would like to find a way to setup Real-time search. I am starting with the "search.py" example.

Thank you

Splunk Employee
Splunk Employee

This should really be an independent question, though probably this answer should link to that information.

When interacting at the api level, the client has an explicitly choice of the first command, and can select rtsearch instead of search. However, you'll have to select different values for et / lt typically, such as the above discussed rt-5m.

0 Karma

Ok, thanks jrodman. I'll create a new question.

0 Karma

Path Finder

ok, thank you

0 Karma

Splunk Employee
Splunk Employee

See my updated post above.

0 Karma

Path Finder

I get the same for "rt-5"

0 Karma

Path Finder

Invalid value "rt-5m" for time term 'earliest'

0 Karma

Splunk Employee
Splunk Employee

What is the error that you receive?

0 Karma

Path Finder

That's exactly what I thought should work, but when I tried it, I got an error.
Is there an additional parameter I need? or would this involve the config files?

0 Karma