Splunk Cloud Platform

Search Manual

Real-time searches and reports in the CLI

To run a real-time search in the CLI, replace the command "search" with "rtsearch":

./splunk rtsearch 'eventtype=pageview'

Use the highlight command to emphasize terms in your search results. The following example highlights "GET" in your page view events:

./splunk rtsearch 'eventtype=pageview | highlight GET'

By default, search results have line wrapping enabled. Use the -wrap option to turn off line wrapping:

./splunk rtsearch 'eventtype=pageview' -wrap 0

Real-time reports in the CLI will also display in preview mode and update as the data streams in.

./splunk rtsearch 'error | top clientip'

Use the -preview option to suppress the results preview:

./splunk rtsearch 'error | top clientip' -preview false

If you turn off preview, you can still manage (Save, Pause, Finalize, or Delete) the search from the Jobs page in Splunk Web. After you finalize the search, the report table will display. For more information, see "Supervise jobs with the Jobs page" in this manual.

To run a windowed real-time search, use the earliest_time and latest_time parameters. Real-time parameter values must be enclosed in single quotation marks.

rtsearch 'index=_internal' -earliest_time 'rt-30s' -latest_time 'rt+30s'

Real-time searches can only be set at the API level, so the search does not run if you try to specify the time range modifiers within the search string. The earliest_time and latest_time parameters should set the same-name arguments in the REST API.

See Search endpoint descriptions. Then navigate to search/jobs, under POST click Expand, and locate search_mode.

You can view all CLI commands by accessing the CLI help reference. For more information, see "Get help with the CLI" in this manual.

See also

Last modified on 25 June, 2019
Real-time searches and reports in Splunk Web   Expected performance and known limitations of real-time searches and reports

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters