Splunk Search

Realtime search with a sliding window that doesn't snap to the hour?

ravida
Explorer

Hi folks,

I have a realtime search that looks at failed windows logins, producing a "single value" timechart visualization with a sparkline and trend value next to it.

index=windows EventCode=4625 | timechart span=1h count

Instead of having it snap to the hour, I would like it to show the values without snapping, effectively grouping by the current minute - 60m for each.  Is there a way to group that in real time searches? 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried a 60-minute span?

index=windows EventCode=4625 | timechart span=60m count

I should also say that realtime searches should be avoided as much as possible (and more).  That pretty, updates-continuously dashboard panel is tying up one CPU on the SH and every indexer, multiplied by the number of people who have the dashboard open.  Unless you have really fast people watching the screen 24/7 or automation that does the same then you're wasting resources with realtime search and should consider a scheduled search that runs every 5 minutes.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...