Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Real-time searches and reports in the CLI

To run a real-time search in the CLI, replace the command "search" with "rtsearch":

./splunk rtsearch 'eventtype=pageview'

Use the highlight command to emphasize terms in your search results. The following example highlights "GET" in your page view events:

./splunk rtsearch 'eventtype=pageview | highlight GET'

By default, search results have line wrapping enabled. Use the -wrap option to turn off line wrapping:

./splunk rtsearch 'eventtype=pageview' -wrap 0

Real-time reports in the CLI will also display in preview mode and update as the data streams in.

./splunk rtsearch 'error | top clientip'

Use the -preview option to suppress the results preview:

./splunk rtsearch 'error | top clientip' -preview false

If you turn off preview, you can still manage (Save, Pause, Finalize, or Delete) the search from the Jobs page in Splunk Web. After you finalize the search, the report table will display. For more information, see "Supervise jobs with the Jobs page" in this manual.

To run a windowed real-time search, use the earliest_time and latest_time parameters.

rtsearch 'index=_internal' -earliest_time 'rt-30s' -latest_time 'rt+30s'

Note: Real-time searches can only be set at the API level, so the search does not run if you try to specify the time range modifiers within the search string. The earliest_time and latest_time parameters should set the same-name arguments in the REST API.

You can view all CLI commands by accessing the CLI help reference. For more information, see "Get help with the CLI" in this manual.

PREVIOUS
Real-time searches and reports in Splunk Web
  NEXT
Expected performance and known limitations of real-time searches and reports

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters