Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Realtime search with offset

Stefan_van_de_R
Explorer
‎07-04-2012 06:33 AM

Hi,

Does anyone know if it is possible to do a realtime search with an offset?
The data that comes in has a delay of 5 minutes.
I tried in savedsearched.conf to set te latest_time at rt-5m but this doens't work.
Is it supported or should I search on another way?

-- Stefan

0 Karma
Reply

rturk
Builder
‎07-04-2012 06:49 AM

Hi Stefan,

Unfortunately as Splunk is essentially a passive reporting tool it can only report on events when it knows about them.

Having a rolling 5 minute RT window when data is dumped in at 5 minute intervals means you're going to miss events in the window you've specified.

If there is a requirement to report on this data in "real-time", then it might be worth looking at your data collection method and seeing whether the frequency of updates can be ramped up or whether the device/application you're collecting data from can output events so the Universal Forwarder can collect them and forward them as they are created (either by tailing a log or as a network stream).

I hope this has helped in some way!

Reply

Stefan_van_de_R
Explorer
‎07-17-2012 04:13 AM

Thanks for your answer. For the moment, I accept the situation for what is. I didn't came up yet with tailing the log but that isn't a bad idea at all and will consider implementing it when I'm done with the Must-have requirements 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...