Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Switching saved, scheduled searches to real time

SteveS
Splunk Employee
Splunk Employee
‎03-31-2010 11:50 PM

If I have a bunch of saved searches I run hourly, what should I consider before switching any or all of them to real time searches (with Splunk 4.1)?

Reply
2 Solutions
Solved! Jump to solution
Solution

Erik_Swan
Splunk Employee
Splunk Employee
‎04-01-2010 04:34 AM

In 4.1 we provide real time search that will operate on the live stream of data prior to being indexed. For real time searches there is no notion of running on a schedule - they are either running or not. When running they will stream results to the UI, through the cli, or over the REST endpoint.

Typically you would use a scheduled search for alerting or to populate a summary index. At least for the first 4.1 releases we suggest that you stay with a scheduled search for alerting or populating a summary and use real time searches on dashboards and when watching the results of a search.

A good starting point would be to clone some of your scheduled searches and try changing the time range picker to real time and see what the real time stream looks like.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎04-05-2010 08:31 PM

I think the simple answer is that we don't yet have real-time search based alerting, so probably most of your existing searches will want to stay as-is. However, there are some searches which might be useful more as an investigative realtime search than a periodically generated report, etc. But that would be highly specific to the searches and the user stories.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎04-05-2010 08:31 PM

I think the simple answer is that we don't yet have real-time search based alerting, so probably most of your existing searches will want to stay as-is. However, there are some searches which might be useful more as an investigative realtime search than a periodically generated report, etc. But that would be highly specific to the searches and the user stories.

Reply
Solved! Jump to solution
Solution

Erik_Swan
Splunk Employee
Splunk Employee
‎04-01-2010 04:34 AM

In 4.1 we provide real time search that will operate on the live stream of data prior to being indexed. For real time searches there is no notion of running on a schedule - they are either running or not. When running they will stream results to the UI, through the cli, or over the REST endpoint.

Typically you would use a scheduled search for alerting or to populate a summary index. At least for the first 4.1 releases we suggest that you stay with a scheduled search for alerting or populating a summary and use real time searches on dashboards and when watching the results of a search.

A good starting point would be to clone some of your scheduled searches and try changing the time range picker to real time and see what the real time stream looks like.

Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...