real-time search


A search that displays a live and continuous view of events as they stream into the Splunk platform. With real-time searches and reports, you can search events before they are indexed and preview reports as the events stream in.

Unlike searches against historical data, time bounds for real-time searches continuously update. You can specify a time range that represents a sliding window of data, such as "data that has been received over the past 30 seconds." The Splunk platform uses this window to accumulate data, so you will see the data after 30 seconds pass.

You can disable real-time search for an indexer and map the ability to use real-time search to specific users or roles.

