You can use Splunk's real-time search to calculate metrics in real-time on large incoming data flows without the use of summary indexing. However, because you are reporting on a live and continuous stream of data, the timeline will update as the events stream in and you can only view the table or chart in preview mode. Also, some search commands will be more applicable (for example, streamstats and rtorder) for use in real-time.
For a primer of reporting commands, see "Use reporting commands" in this manual.
Real-time reporting is accessible through Splunk Web and the CLI. For more information, read "About CLI searches" in the Search reference manual.
This feature is discussed in more detail and with examples in the User manual's "Search and Investigate" chapter. Refer to the topic "Real-time search and reporting".
Use reporting commands
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7