Splunk Search

Shared realtime searches possible?

phoenixdigital
Builder

I have 4 dashboards each of which use 2-3 real time searches.

Now watching the dashboards with firebug I can see that all my visualizations call Splunk with the realtime search ID to get the latest data at regular intervals.

Now we have many users that would like to view these dashboards however it appears if two seperate users are viewing the same dashboard they will each have their own seperate realtime search running. Even though its the same search returning the same results.

Is there any way to have both users dashboards calling for results from the same searchID thus reducing the number of real time searches in use by the system. Having to have multiple versions of the same real time search really limits the number of users on the system.

Having shared real time searches would actually allow me to have 2 real time searches feed data to all 4 dashboards.

I was reading up on the internals of real time searches yesterday as well as many questions here. I am sure I found a post from a few years ago where someone said they were looking at including this behavior into future versions of Splunk. If I can find it again I will post the link here.

Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

yes. possible at 2 conditions:

  • it has to be a saved scheduled search
  • it has to be displayed in a dashboard that is using the saved search (not an inline search, and with the same timerange)

View solution in original post

yannK
Splunk Employee
Splunk Employee

yes. possible at 2 conditions:

  • it has to be a saved scheduled search
  • it has to be displayed in a dashboard that is using the saved search (not an inline search, and with the same timerange)

yannK
Splunk Employee
Splunk Employee

last one :
- you get a single search running (the scheduled one)
and the dashboards shows the search results from the search artifacts.

0 Karma

laserval
Communicator

I've been trying this out, and I don't see how this works:
- Is the search still using a real-time timerange?
- Have you got the search both as real-time and with a schedule (e.g. cron)?
- Do you only get a single real-time search job running?

0 Karma

watsm10
Communicator

You can also use post process with this to optimize even further!

0 Karma

phoenixdigital
Builder

Thanks for that it works perfectly.

We tried it with many people hammering the dashboards and never saw a realtime search limit warning appear.

Going to be using this method quite a lot I believe.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...