Splunk Search

rt_md realtime searches?

arpit_arora
Explorer

Hello, does anyone what generates realtime searches whose search_id starts with "rt_md"?

I rarely run real time searches but if I look at audit.log, I see a bunch of searches under my username for which is_realtime field is set to 1. Also their search_ids begin with "rt_md".

However if I do run a real time search and look for it's search_id, it starts only with "rt_".

So what are these searches which I never ran but show up as realtime and their search_ids start with "rt_md"?

Tags (1)
0 Karma

aklgo
New Member

Hi Arpit. I have been trying to answer the same question and may have an answer for you.

Unfortunately this naming convention is not documented under Dispatch directory and search artifacts:
https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Search/Dispatchdirectoryandsearchartifacts

However, I found some information on the real-time metadata search in this post. Its a query that is embedded in the search app page which automatically retrieves a user's data:
https://answers.splunk.com/answers/171350/how-to-disable-real-time-searches-that-run-when-lo.html

I hope this helps!!

0 Karma

arpit_arora
Explorer

For example, here's a search_id and related search string.

'rt_md_1518568804.651085_0B533784-8A3E-4E74-B06C-8A3951E1D576'
'| metadata type=sourcetypes | search totalCount > 0'

I think "rt_md" stands for real time meta data search.

What is the nature of such searches?

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...