Solved: Real Time Searches

nikhilmehra79 · ‎12-31-2013

Any disadvantages if we are running real time searches and alerting using those, currently we are testing few functionalities in Dev/PreProd - but want to pick brain of exp community members if they can point to performance degradation issues if you run real time searches say Every Minute of less - and alert on them, or is better to increase time duration or Schedule searches...please advise.

linu1988 · ‎12-31-2013

Hello Nikhil,
Real-Time searches does require CPU most of the time. But unless necessary you can just schedule them to run every 1 min/2 mins. The real-time alerts definitely works and depends on your server configuration how much it can dedicate for alerts ,dedicated searches for user, scheduled searches. You can take a look in limits.conf for the CPU and search calculations.

View solution in original post

linu1988 · ‎12-31-2013

Hello Nikhil,
Real-Time searches does require CPU most of the time. But unless necessary you can just schedule them to run every 1 min/2 mins. The real-time alerts definitely works and depends on your server configuration how much it can dedicate for alerts ,dedicated searches for user, scheduled searches. You can take a look in limits.conf for the CPU and search calculations.

nikhilmehra79 · ‎12-31-2013

Thanks...so i am assuming advisable will be to schedule searches every 5-15 minutes etc (depend on your need as against doing same using Real time searches)

Real Time Searches

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!