Preview events
In a distributed environment, by default, when you run a search the results are not displayed until all of the search peers begin to return event data for the time range that you specify. In a distributed environment with a large number of peers, or where some of the peers are slow, there can be a delay in displaying search results.
The events preview mode displays an event as soon as the event is returned, instead of waiting until all of the events are returned to see the search results. This mode displays events that are in-memory and not yet committed.
Limitations using the preview mode
There are some limitations in the Events viewer when you enable the events preview mode.
You cannot expand the Events viewer to see detailed information about an event until all of the events from your search are returned. When you position your mouse over the information icon, a message informs you that the events preview mode is enabled.
As results are returned and displayed in the Events viewer, the order of the events changes. As new results are added to the Events viewer, the events are inserted into the correct time order.
The Events viewer provides the option to display events in a list, as a table, or as raw events. When the Events viewer is set to Table and the events preview mode is enabled, you cannot sort the list of events until the search completes.
Enable events preview mode
To see the events more quickly, you can enable the events preview mode in the Search app.
When you enable events preview, it is enabled for everyone using the Search app, not just for you.
- Splunk Cloud Platform
- To enable the events preview mode request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
- Splunk Enterprise
- Prerequisites
- Only users with file system access, such as system administrators, can enable the events preview mode.
- Review the steps in How to edit a configuration file in the Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.
- Steps
- Open the local
limits.conf
file for the Search app. For example,$SPLUNK_HOME/etc/apps/<app_name>/local
. - Under the [search] stanza, set
timeline_events_preview
totrue
.
Identify event patterns with the Patterns tab | About searching with time |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2208, 8.2.2112, 9.0.2205, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!