What search commands are supported by real-time se...

Jason · ‎03-05-2013

What search commands are supported by real-time searches?

I can't find this information in the manual.

ChrisG · ‎04-26-2013

Quoting from the Search Manual topic, About real-time searches: "Real-time searches can take advantage of all Splunk search functionality, including advanced functionality like lookups, transactions, and so on. We've also designed search commands that are to be used specifically in conjunction with real-time searches, such as streamstats and rtorder."

ChrisG · ‎09-27-2013

Thanks, Jason. I will have the writer for the Search Manual look into that and update the docs!

Jason · ‎09-27-2013

Evidently that's not completely true, as you get an error "This command is not supported in a real-time search" when you try to run an | inputlookup in a real time search. Also, appends don't work, and don't give errors.

index=_internal | stats count by host | append [inputlookup allhosts] | stats max(count) as count by host works as expected on a non-RT search but doesn't show any values in the lookup that are not in the main seach when changed to RT.

Jason · ‎04-26-2013

Bump. There must be a listing of these somewhere?

What search commands are supported by real-time searches?

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting