Build a real-time dashboard
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Build a real-time dashboard
You can build a real-time dashboard using the visual dashboard editor, the simple XML or the advanced XML. This topic covers the first two options, for instructions on building a real-time dashboard with the advanced XML, please see How to build a real-time dashboard in the Advanced Web customization section of this manual.
Visual dashboard editor
To build a real-time dashboard with the visual dashboard editor, you will first need to build a real-time saved search. When you save your search, make sure you specify real-time settings in the earliest and latest boxes in the saved search Time range boxes.
Simple XML
If you're building a dashboard using the simple XML, you can use the earliestTime and latestTime params to enable real-time searching. For example, if you want to enable real-time in the table panel, use the following XML:
<table>
<title>Look here for errors that you need to care about</title>
<searchName>Errors in the last 24 hours</searchName>
<fields>host, source, errorNumber</fields>
<earliestTime>rt</earliestTime>
<latestTime>rt</latestTime>
</table>
Set a search window
You can also set a window for your real-time dashboard. For example, say you want to show real-time events but only from the last 5 minutes. You can add the rt notation to your XML, like this:
<table>
<title>Look here for errors that you need to care about</title>
<searchName>Errors in the last 24 hours</searchName>
<fields>host, source, errorNumber</fields>
<earliestTime>rt-5m</earliestTime>
<latestTime>rt</latestTime>
</table>
For more information on setting a search window, see the real-time search topic in the User Manual.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.