Solved: Real Time Searches

nikhilmehra79 · ‎12-31-2013

Any disadvantages if we are running real time searches and alerting using those, currently we are testing few functionalities in Dev/PreProd - but want to pick brain of exp community members if they can point to performance degradation issues if you run real time searches say Every Minute of less - and alert on them, or is better to increase time duration or Schedule searches...please advise.

linu1988 · ‎12-31-2013

Hello Nikhil,
Real-Time searches does require CPU most of the time. But unless necessary you can just schedule them to run every 1 min/2 mins. The real-time alerts definitely works and depends on your server configuration how much it can dedicate for alerts ,dedicated searches for user, scheduled searches. You can take a look in limits.conf for the CPU and search calculations.

View solution in original post

linu1988 · ‎12-31-2013

Hello Nikhil,
Real-Time searches does require CPU most of the time. But unless necessary you can just schedule them to run every 1 min/2 mins. The real-time alerts definitely works and depends on your server configuration how much it can dedicate for alerts ,dedicated searches for user, scheduled searches. You can take a look in limits.conf for the CPU and search calculations.

nikhilmehra79 · ‎12-31-2013

Thanks...so i am assuming advisable will be to schedule searches every 5-15 minutes etc (depend on your need as against doing same using Real time searches)

Real Time Searches

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?