indexed real-time search

indexed real-time search


A real-time search that runs after events are indexed within the sliding time range window that you define for the search. indexed real-time searches can substantially improve indexing performance. This is especially true if you're running a lot of concurrent real-time searches because indexed real-time searches decrease the impact on the indexer. An indexed real-time search is like a historical search, with the added benefit that it continually updates the search with new events as the events appear on disk.

Indexed real-time search is disabled by default on Splunk Enterprise.

Related terms

For more information

In the Splunk Cloud Platform and Splunk Enterprise Search Manual: