Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Realtime report

jadengoho
Builder
‎05-16-2018 07:13 PM

I am trying to create a dashboard in realtime , a savedsearch that ouputcsv then used that in the dashboard (20panel)

currently i have a search(4hrs) that outputcsv but not in REALTIME, would it be possible to outputcsv in a realtime search.
If not , what would be the easier way ?

0 Karma
Reply

adonio
Ultra Champion
‎05-18-2018 07:23 AM

why would you want to constantly output a csv?
can you elaborate on what is it that you are trying to achieve here?

0 Karma
Reply

hortonew
Builder
‎05-18-2018 08:29 PM

Yea a use case would be nice to have. The problem with constantly updating a csv is you're constantly changing the search knowledge bundle, and I'm not entirely sure what that would do to your environment. A better approach might involve summary indexing, kvstore, or data model + acceleration at the end of the day. I would think constantly outputting a csv would be the last thing you'd want to do.

Reply

jadengoho
Builder
‎05-20-2018 05:10 PM

Here is the situation :
I have a dashboard with 20 panels, each panel do different things.
- it must get the 24hrs worth of data (12,000+ data per 24hrs)
- It must be in real time( every 5-30 seconds if possible) since it was using a time chart
- must work smoothly as possible

Now here's my concern:
- If I use a data model + acceleration/ summary indexing: would it gather new data less than a minute ago?

Why did i use outputcsv ?
- I create a saved search that outputcsv file every minute ( that the shortest chron I think ), I kind of lost of option that why I choose it.

What is the best way to handle this kind of situation?

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...