Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About real-time searches and reports

With real-time searches and reports, you can search events before they are indexed and preview reports as the events stream in.

You can design alerts based on real-time searches that run continuously in the background. Such real-time alerts can provide timelier notifications than alerts that are based on scheduled reports. For more information, see the Alerting Manual.

You can also display real-time search results and reports in your custom dashboards using the dashboard editor, panel editor, and simple XML. For more information about the visual dashboard editor, see "Create simple dashboards with the UI" in the Splunk Data Visualizations Manual.

For more information about using real-time dashboards with advanced features that go beyond what the visual dashboard editor can provide, see Build a real-time dashboard in the Developer manual.

Note: By default, only users with the Admin role can run and save real-time searches. For more information on managing roles and assigning them to users, see "Add and edit roles" in Securing Splunk Enterprise.

Real-time search mechanics

Real-time searches scan events as they arrive for indexing. When you kick off a real-time search, Splunk software scans for incoming events that contain index-time fields that indicate they could be a match for your search.

As the real-time search runs, the software periodically evaluates the scanned events against your search criteria to find actual matches within the sliding time range window that you have defined for the search. The number of matching events can fluctuate up or down over time as the search discovers matching events at a faster or slower rate. If you are running the search in Splunk Web, the search timeline also displays the matching events that the search has returned within the chosen time range.

Here is an example of a real-time search with a one minute time range window. At the point that this screen capture was taken, the search had scanned a total of 904 events since it was launched. The matching event count of 447 represents the number of events matching the search criteria that had been identified in the past minute. This number fluctuated between 430 and 450 for the following minute. If it had spiked or dropped dramatically, that could have been an indication that something interesting was happening that required a closer look.

6.1 Aboutrealtimesearches.png

As you can see, the newest events are on the right-hand side of the timeline. As time passes, they move left until they move off the left-hand side, disappearing from the time range window entirely.

A real-time search should continue running until you or another user stops it or deletes the search job; it should not "time out" for any other reason. If your events are stopping it could be a performance-related issue (see "Expected performance and known limitations").

Real-time searches can take advantage of all search functionality, including advanced functionality like lookups, transactions, and so on. There are also search commands that are to be used specifically in conjunction with real-time searches, such as streamstats and rtorder.

Indexed real-time search

The number of concurrent real-time searches can greatly affect indexing performance. To lessen the impact on the indexer, you can enable indexed real-time search. This runs the search like a historical search, but also continually updates it with new events as they appear on disk.

To enable indexed real-time search as the default behavior for your real-time searches, edit the limits.conf stanza called realtime and set indexed_realtime_use_by_default = true. If you are using Splunk Cloud and want to change the default for real-time searches, file a Support ticket.

Indexed real-time search is used when up-to-the-second accuracy is not needed. The results returned by indexed real-time search will always lag behind a real-time search. You can control the number of seconds of lag with the indexed_realtime_disk_sync_delay = <int> setting. By default, this delay is 60 seconds.

Other settings you can use to configure indexed real-time search behavior follows.


indexed_realtime_default_span = <int>
* An indexed realtime search is made up of many component historical searches that by default 
* will span this many seconds. If a component search is not completed in this many seconds the
* next historical search will span the extra seconds. To reduce the overhead of running an 
* indexed realtime search you can change this span to delay longer before starting the next 
* component historical search.
* Precendence: Indexers
* Defaults to 1

indexed_realtime_maximum_span = <int>
* While running an indexed realtime search, if the component searches regularly take longer 
* than indexed_realtime_default_span seconds, then indexed realtime search can fall more than 
* indexed_realtime_disk_sync_delay seconds behind realtime. Use this setting to set a limit 
* afterwhich we will drop data to return back to catch back up to the specified delay from 
* realtime, and only search the default span of seconds. 
* Precedence: API overrides SearchHead overrides Indexers
* Defaults to 0 (unlimited) 

indexed_realtime_cluster_update_interval = <int>
* While running an indexed realtime search, if we are on a cluster we need to update the list
* of allowed primary buckets. This controls the interval that we do this. And it must be less 
* than the indexed_realtime_disk_sync_delay. If your buckets transition from Brand New to warm 
* in less than this time indexed realtime will lose data in a clustered environment.
* Precendence: Indexers
* Default: 30
Last modified on 25 August, 2016
Open a non-transforming search in Pivot to create tables and charts
Real-time searches and reports in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters