Real-time searches and reports in Splunk Web
Real-time searches in Splunk Web
You run a real-time search in exactly the same way you run historical searches. However, because you are searching a live and continuous stream of data, the timeline updates as the events stream in and you can only view the report in preview mode. Also, some search commands are more applicable to real-time searches than historical searches. For example, streamstats and rtorder were designed for use in real-time searches.
To kick off a real-time search in Splunk Web, use the time range menu to select a preset real-time time range window, such as 30 seconds or 1 minute. You can also specify a sliding time range window to apply to your real-time search.
If you have Apache web access data, run the following search to see web traffic events as they stream in.
The raw events that are streamed from the input pipeline are not time-ordered. You can use the
rtorder command to buffer the events from a real-time search and emit them in ascending time order.
The following example keeps a buffer of the last 5 minutes of web traffic events, emitting events in ascending time order once they are more than 5 minutes old. Newly received events that are older than 5 minutes are discarded if an event after that time has already been emitted.
sourcetype=access_* | rtorder discard=t buffer_span=5m
Real-time search relies on a stream of events. Thus, you cannot run a real-time search with any other leading search command, such as
| metadata which does not produce events or
| inputcsv which just reads in a file. Also, if you try to send the search results to
| outputcsv, the CSV file will not be written until the real-time search is Finalized.
Real-time reports in Splunk Web
Run a report to preview the IP addresses that access the most web pages. In this case, the
top command returns a table with three columns: clientip, count, and percent. As the data streams in, the table updates with new values.
sourcetype=access_* | top clientip
For each web traffic event, add a
count field that represents the number of events seen so far (but do not include the current event in the count).
sourcetype=access_* | streamstats count current=false
You can also drilldown into real-time reports. However, real-time drilldown does not spawn another real-time search. Instead, it spawns a historic search, as you will drilldown into the events that have already been retrieved and indexed. For more information, see "Drilldown behavior" in the Dashboards and Visualizations Manual.
About real-time searches and reports
Real-time searches and reports in the CLI
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10