Splunk Search

Shared realtime searches possible?

I have 4 dashboards each of which use 2-3 real time searches.

Now watching the dashboards with firebug I can see that all my visualizations call Splunk with the realtime search ID to get the latest data at regular intervals.

Now we have many users that would like to view these dashboards however it appears if two seperate users are viewing the same dashboard they will each have their own seperate realtime search running. Even though its the same search returning the same results.

Is there any way to have both users dashboards calling for results from the same searchID thus reducing the number of real time searches in use by the system. Having to have multiple versions of the same real time search really limits the number of users on the system.

Having shared real time searches would actually allow me to have 2 real time searches feed data to all 4 dashboards.

I was reading up on the internals of real time searches yesterday as well as many questions here. I am sure I found a post from a few years ago where someone said they were looking at including this behavior into future versions of Splunk. If I can find it again I will post the link here.

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

yes. possible at 2 conditions:

  • it has to be a saved scheduled search
  • it has to be displayed in a dashboard that is using the saved search (not an inline search, and with the same timerange)

View solution in original post

Splunk Employee
Splunk Employee

yes. possible at 2 conditions:

  • it has to be a saved scheduled search
  • it has to be displayed in a dashboard that is using the saved search (not an inline search, and with the same timerange)

View solution in original post

Splunk Employee
Splunk Employee

last one :
- you get a single search running (the scheduled one)
and the dashboards shows the search results from the search artifacts.

0 Karma

Communicator

I've been trying this out, and I don't see how this works:
- Is the search still using a real-time timerange?
- Have you got the search both as real-time and with a schedule (e.g. cron)?
- Do you only get a single real-time search job running?

0 Karma

Contributor

You can also use post process with this to optimize even further!

0 Karma

Thanks for that it works perfectly.

We tried it with many people hammering the dashboards and never saw a realtime search limit warning appear.

Going to be using this method quite a lot I believe.

0 Karma