Real-time searches and reports in the CLI
To run a real-time search in the CLI, replace the command "search" with "rtsearch":
./splunk rtsearch 'eventtype=pageview'
Use the highlight
command to emphasize terms in your search results. The following example highlights "GET" in your page view events:
./splunk rtsearch 'eventtype=pageview | highlight GET'
By default, search results have line wrapping enabled. Use the -wrap
option to turn off line wrapping:
./splunk rtsearch 'eventtype=pageview' -wrap 0
Real-time reports in the CLI will also display in preview mode and update as the data streams in.
./splunk rtsearch 'error | top clientip'
Use the -preview
option to suppress the results preview:
./splunk rtsearch 'error | top clientip' -preview false
If you turn off preview, you can still manage (Save, Pause, Finalize, or Delete) the search from the Jobs page in Splunk Web. After you finalize the search, the report table will display. For more information, see "Supervise jobs with the Jobs page" in this manual.
To run a windowed real-time search, use the earliest_time
and latest_time
parameters. Real-time parameter values must be enclosed in single quotation marks.
rtsearch 'index=_internal' -earliest_time 'rt-30s' -latest_time 'rt+30s'
Real-time searches can only be set at the API level, so the search does not run if you try to specify the time range modifiers within the search string. The earliest_time
and latest_time
parameters should set the same-name arguments in the REST API.
See Search endpoint descriptions. Then navigate to search/jobs, under POST click Expand, and locate search_mode.
You can view all CLI commands by accessing the CLI help reference. For more information, see "Get help with the CLI" in this manual.
See also
Real-time searches and reports in Splunk Web | Expected performance and known limitations of real-time searches and reports |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!