Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Realtime report

jadengoho
Builder
‎05-16-2018 07:13 PM

I am trying to create a dashboard in realtime , a savedsearch that ouputcsv then used that in the dashboard (20panel)

currently i have a search(4hrs) that outputcsv but not in REALTIME, would it be possible to outputcsv in a realtime search.
If not , what would be the easier way ?

0 Karma
Reply

adonio
Ultra Champion
‎05-18-2018 07:23 AM

why would you want to constantly output a csv?
can you elaborate on what is it that you are trying to achieve here?

0 Karma
Reply

hortonew
Builder
‎05-18-2018 08:29 PM

Yea a use case would be nice to have. The problem with constantly updating a csv is you're constantly changing the search knowledge bundle, and I'm not entirely sure what that would do to your environment. A better approach might involve summary indexing, kvstore, or data model + acceleration at the end of the day. I would think constantly outputting a csv would be the last thing you'd want to do.

Reply

jadengoho
Builder
‎05-20-2018 05:10 PM

Here is the situation :
I have a dashboard with 20 panels, each panel do different things.
- it must get the 24hrs worth of data (12,000+ data per 24hrs)
- It must be in real time( every 5-30 seconds if possible) since it was using a time chart
- must work smoothly as possible

Now here's my concern:
- If I use a data model + acceleration/ summary indexing: would it gather new data less than a minute ago?

Why did i use outputcsv ?
- I create a saved search that outputcsv file every minute ( that the shortest chron I think ), I kind of lost of option that why I choose it.

What is the best way to handle this kind of situation?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...