I am looking for a few parameters to make my RT search work better. Current, I am limited using Java search with the following.
final String mySearch = "search index=mydata";
rtJobArgs = new JobArgs();
rtJobArgs.setExecutionMode(JobArgs.ExecutionMode.NORMAL);
rtJobArgs.setSearchMode(JobArgs.SearchMode.REALTIME);
rtJobArgs.setEarliestTime("rt");
rtJobArgs.setLatestTime("rt");
rtJobArgs.setStatusBuckets(0);
final Job job = service.search(mySearch, rtJobArgs);
while (!job.isReady()) {
SplunkDataUtils.sleep(500);
}
final JobResultsPreviewArgs previewArgs = new JobResultsPreviewArgs();
previewArgs.setCount(500); // Retrieve 300 previews at a time
previewArgs.put("field_list", "_raw,host,source");
while(true) { //dummy loop for this example
final InputStream stream = job.getResultsPreview(previewArgs);
parseResults(stream); //loops through the stream
stream.close();
sleep(250);
}
job.cancel();
This search continues to return the same records each time through the loop (plus any new data injected). What I need is the window to slide with time real-time and not continually return the records from the same start time. I assume setEarliestTime("rt") is evaluated once a the time rtJobArgs is created. How can I reset the earliest time each loop iteration.
Another issue of the setCount(500) would be a non-issue if the rt window slides, but fills up quickly with old data.
Another question is setStatusBuckets: do I need to use these for my search?
Thanks.
... View more
