Splunk® Enterprise

Search Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Specify time ranges for real-time searches

Users must have the Admin role to run and save real-time searches. For more information on managing roles and assigning roles to users, see Create and manage roles with Splunk Web in Securing Splunk Enterprise.

In Splunk Cloud Platform on Victoria Experience, real-time searches are enabled by default. In Splunk Cloud Platform on Classic Experience, you must open a support ticket to enable real-time search. For more information, see About real-time searches and reports in the Search Manual.

Time ranges for historical searches are set at the time the search runs. With real-time searches, the time range boundaries are constantly updating and by default, the results accumulate from the start of the search. You can also specify a range that represent a sliding window of time, for example, the last 30 seconds. When you specify a sliding window, Splunk software uses that amount of time to accumulate data. For example, if your sliding window is 5 minutes, you will not start to see data until after the first 5 minutes have passed. You can override this behavior so that Splunk software backfills the initial window with historical data before running in the normal real-time search mode. See Real-time backfill.

Real-time searches can consume a lot of system resources. As a result, consider running scheduled searches instead of real-time searches, even if you need updated results every 1 or 5 minutes. See Scheduling searches.

Real-time modifier syntax

To run a search in real time, you can select from predefined Real-time time range windows in the time range range picker list or you can specify a custom real-time window using Custom time... and selecting Real-time.

Time ranges for real-time search follow the same syntax as for historical searches, except that you precede the relative time specifier with "rt", so that it's rt<time_modifier>: rt[+|-]<time_integer><time_unit>@<time_unit>. See Specify time modifiers in your search.

These values are not designed to be used in a search string. If you are a Splunk Enterprise administrator, you can use these values when you edit the times.conf file (to add options to the time range picker), to specify the earliest/latest time ranges in the saved search dialog, or when you use the REST API to access the Splunk search engine.

When you use time range windows with real-time searches, some of the events that occur within the latest second may not be displayed. This is expected behavior and is due to the latency between the timestamps within the events and the time when the event arrives. Because the time range window is with respect to the timestamps within the events and not the time when the event arrives, events that arrive after the time window won't display.

Real-time searches over "all time"

There is a small difference between real-time searches that take place within a set time window (30 seconds, 1 minute, 2 hours) and real-time searches that are set to "all time."

  • In "windowed" real time searches, the events in the search can disappear as they fall outside of the window, and events that are newer than the time the search job was created can appear in the window when they occur.
  • In "all-time" real-time searches, the window spans all of your events, so events do not disappear once they appear in the window, but events that are newer than the time the search job was created can appear in the window as they occur.
  • In comparison, historical search events never disappear from within the set range of time that you are searching and the latest event is always earlier than the job creation time (with the exception of searches that include events that have future-dated timestamps).

When you run large all-time real-time searches that result in more than 1,000 events, you may notice that not all of the search results are displayed in the Events viewer. This is because Splunk software uses a circular buffer to quickly access data in real time and displays only about 1,000 of the most recent events. To see all of the events when you run your searches, select a time range other than All time (real-time), such as All time.

Real-time backfill

For windowed real-time searches, you can backfill the initial window with historical data. This is run as a single search, just in two phases: first, a search on historical data to backfill events; then, a normal real-time search. Real-time backfill ensures that real-time dashboards seeded with data on actual visualizations and statistical metrics over time periods are accurate from the start.

You can enable real-time backfill in the limits.conf file in the [realtime] stanza:

[realtime]

default_backfill = <bool>
* Specifies if windowed real-time searches should backfill events
* Defaults to true

See also

Last modified on 17 October, 2023
Specify time modifiers in your search   Use time to find nearby events

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters