Real-time searches and reports in the CLI
To run a real-time search in the CLI, replace the command "search" with "rtsearch":
./splunk rtsearch 'eventtype=pageview'
highlight command to emphasize terms in your search results. The following example highlights "GET" in your page view events:
./splunk rtsearch 'eventtype=pageview | highlight GET'
By default, search results have line wrapping enabled. Use the
-wrap option to turn off line wrapping:
./splunk rtsearch 'eventtype=pageview' -wrap 0
Real-time reports in the CLI will also display in preview mode and update as the data streams in.
./splunk rtsearch 'error | top clientip'
-preview option to suppress the results preview:
./splunk rtsearch 'error | top clientip' -preview false
If you turn off preview, you can still manage (Save, Pause, Finalize, or Delete) the search from the Jobs page in Splunk Web. After you finalize the search, the report table will display. For more information, see "Supervise jobs with the Jobs page" in this manual.
To run a windowed real-time search, use the
latest_time parameters. Real-time parameter values must be enclosed in single quotation marks.
rtsearch 'index=_internal' -earliest_time 'rt-30s' -latest_time 'rt+30s'
Real-time searches can only be set at the API level, so the search does not run if you try to specify the time range modifiers within the search string. The
latest_time parameters should set the same-name arguments in the REST API.
See Search endpoint descriptions. Then navigate to search/jobs, under POST click Expand, and locate search_mode.
You can view all CLI commands by accessing the CLI help reference. For more information, see "Get help with the CLI" in this manual.
Real-time searches and reports in Splunk Web
Expected performance and known limitations of real-time searches and reports
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.9, 8.0.2007, 8.1.2008, 7.2.10, 8.0.2006, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104