Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Realtime report

jadengoho
Builder
‎05-16-2018 07:13 PM

I am trying to create a dashboard in realtime , a savedsearch that ouputcsv then used that in the dashboard (20panel)

currently i have a search(4hrs) that outputcsv but not in REALTIME, would it be possible to outputcsv in a realtime search.
If not , what would be the easier way ?

0 Karma
Reply

adonio
Ultra Champion
‎05-18-2018 07:23 AM

why would you want to constantly output a csv?
can you elaborate on what is it that you are trying to achieve here?

0 Karma
Reply

hortonew
Builder
‎05-18-2018 08:29 PM

Yea a use case would be nice to have. The problem with constantly updating a csv is you're constantly changing the search knowledge bundle, and I'm not entirely sure what that would do to your environment. A better approach might involve summary indexing, kvstore, or data model + acceleration at the end of the day. I would think constantly outputting a csv would be the last thing you'd want to do.

Reply

jadengoho
Builder
‎05-20-2018 05:10 PM

Here is the situation :
I have a dashboard with 20 panels, each panel do different things.
- it must get the 24hrs worth of data (12,000+ data per 24hrs)
- It must be in real time( every 5-30 seconds if possible) since it was using a time chart
- must work smoothly as possible

Now here's my concern:
- If I use a data model + acceleration/ summary indexing: would it gather new data less than a minute ago?

Why did i use outputcsv ?
- I create a saved search that outputcsv file every minute ( that the shortest chron I think ), I kind of lost of option that why I choose it.

What is the best way to handle this kind of situation?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...