Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Preview events

In a distributed environment, by default, when you run a search the results are not displayed until all of the search peers begin to return event data for the time range that you specify. In a distributed environment with a large number of peers, or where some of the peers are slow, there can be a delay in displaying search results.

The events preview mode displays an event as soon as the event is returned, instead of waiting until all of the events are returned to see the search results. This mode displays events that are in-memory and not yet committed.

Limitations using the preview mode

There are some limitations in the Events viewer when you enable the events preview mode.

You cannot expand the Events viewer to see detailed information about an event until all of the events from your search are returned. When you position your mouse over the information icon, a message informs you that the events preview mode is enabled.

As results are returned and displayed in the Events viewer, the order of the events changes. As new results are added to the Events viewer, the events are inserted into the correct time order.

The Events viewer provides the option to display events in a list, as a table, or as raw events. When the Events viewer is set to Table and the events preview mode is enabled, you cannot sort the list of events until the search completes.

Enable events preview mode

To see the events more quickly, you can enable the events preview mode in the Search app.

When you enable events preview, it is enabled for everyone using the Search app, not just for you.

Prerequisites

  • Only users with the admin role, or a role with equivalent permissions, can enable the events preview mode.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Steps

  1. Open the local limits.conf file for the Search app. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.
  3. Under the [search] stanza, set timeline_events_preview to true.


If you are using Splunk Cloud and want to enable the preview mode, open a Support ticket.

PREVIOUS
Identify event patterns with the Patterns tab
  NEXT
About searching with time

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters