Splunk Cloud Platform

Search Manual

Preview events

In a distributed environment, by default, when you run a search the results are not displayed until all of the search peers begin to return event data for the time range that you specify. In a distributed environment with a large number of peers, or where some of the peers are slow, there can be a delay in displaying search results.

The events preview mode displays an event as soon as the event is returned, instead of waiting until all of the events are returned to see the search results. This mode displays events that are in-memory and not yet committed.

Limitations using the preview mode

There are some limitations in the Events viewer when you enable the events preview mode.

You cannot expand the Events viewer to see detailed information about an event until all of the events from your search are returned. When you position your mouse over the information icon, a message informs you that the events preview mode is enabled.

As results are returned and displayed in the Events viewer, the order of the events changes. As new results are added to the Events viewer, the events are inserted into the correct time order.

The Events viewer provides the option to display events in a list, as a table, or as raw events. When the Events viewer is set to Table and the events preview mode is enabled, you cannot sort the list of events until the search completes.

Enable events preview mode

To see the events more quickly, you can enable the events preview mode in the Search app.

When you enable events preview, it is enabled for everyone using the Search app, not just for you.

Splunk Cloud Platform
To enable the events preview mode request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
Prerequisites
  • Only users with file system access, such as system administrators, can enable the events preview mode.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

Steps
  1. Open the local limits.conf file for the Search app. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Under the [search] stanza, set timeline_events_preview to true.
Last modified on 28 October, 2021
Identify event patterns with the Patterns tab   About searching with time

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406 (latest FedRAMP release), 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 8.2.2112


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters