What search commands are supported by real-time se...

Jason · ‎03-05-2013

What search commands are supported by real-time searches?

I can't find this information in the manual.

ChrisG · ‎04-26-2013

Quoting from the Search Manual topic, About real-time searches: "Real-time searches can take advantage of all Splunk search functionality, including advanced functionality like lookups, transactions, and so on. We've also designed search commands that are to be used specifically in conjunction with real-time searches, such as streamstats and rtorder."

ChrisG · ‎09-27-2013

Thanks, Jason. I will have the writer for the Search Manual look into that and update the docs!

Jason · ‎09-27-2013

Evidently that's not completely true, as you get an error "This command is not supported in a real-time search" when you try to run an | inputlookup in a real time search. Also, appends don't work, and don't give errors.

index=_internal | stats count by host | append [inputlookup allhosts] | stats max(count) as count by host works as expected on a non-RT search but doesn't show any values in the lookup that are not in the main seach when changed to RT.

Jason · ‎04-26-2013

Bump. There must be a listing of these somewhere?

What search commands are supported by real-time searches?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)