Real-time search, reports, and dashboards
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Real-time search, reports, and dashboards
This feature allows users to select from a new time range option called "Real-time" which enables searching forward in time (as opposed to historical searches). Users can then view, search and report on events before Splunk's indexing process therebye making data available immediately.
Users can apply traditional boolean search operators or any aspect of the search language (such as statistical reporting commands) to create customized real-time search 'streams' that push incoming data to the user. Additionally real-time streams support the ability to update transaction counts or calculate metrics in real-time on large incoming data flows. Users can then combine multiple real-time searches and reports on a dashboard that can be shared with others.
This new feature can be accessed from the command-line or Splunk Web.
- For more information, refer to "Real-time search and reporting" in the User Manual.
- If you'd like to enable real-time search in a dashboard you've already built in simple XML, see "Build a real-time dashboard.
- For advanced XML, see "How to build a real time dashboard" in the Developer Manual.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.