I am trying to make an external dashboard for splunk that needs to be real time. At the moment, all we can do is make a script on our end to resend the search every so often and refresh the page for the new results.
What I want to know, however, is if there is a way to query splunk to make a real time search.
In other words, can a real time search be executed from some syntax in the search string? Without using the time range picker whatsoever?
EDIT: I have tried to use "
earliest=rt-10m latest=rt" but got an error saying:
Invalid value "rt-5m" for time term 'earliest'
Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:
foobar=fizbaz earliest=rt-5 latest=rt
UPDATE: I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?
That's exactly what I thought should work, but when I tried it, I got an error.
Is there an additional parameter I need? or would this involve the config files?
Thank you for the helpful answer. If Real-time search can only be set at the API level, what is a good example to do this? I am using the Python SDK and I would like to find a way to setup Real-time search. I am starting with the "search.py" example.
This should really be an independent question, though probably this answer should link to that information.
When interacting at the api level, the client has an explicitly choice of the first command, and can select rtsearch instead of search. However, you'll have to select different values for et / lt typically, such as the above discussed rt-5m.