Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to replace a real time search with a historical search without impacting the visualization that is based on the real time search?

butzowj
Path Finder
‎11-30-2016 09:21 AM

Hello,

My management (and me as well, of course) loves the way the visualizations for real time searches look. But from a system administration perspective, it's a nightmare, as we are all well aware of the impact real time searches have on the system.

To clarify, a real time search, when it updates its data, seamlessly and continuously transforms the current data point to the next data point as new data streams through Splunk. However, if we use a historical search with an auto-refresh, there is sort of 'flash' of blank space as the search runs and populates the visualization with the newly retrieved data.

I am looking for a solution to replace the real time searches with a historical search without impacting the visualization - in other words, a historical search that displays like a real time search (only, of course without the continual updates to the values).

Is this possible, has any one tried this or have any ideas? Again, the idea is to give management the 'smooth' visualizations they have come to expect from the real time searches without having to actually run a real time search.

Thanks,
Joel B

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-30-2016 10:00 AM

May I suggest you look at indexed_real-time: http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Aboutrealtimesearches

The number of concurrent real-time searches can greatly affect indexing performance. To lessen the impact on the indexer, you can enable indexed real-time search. This runs the search like a historical search, but also continually updates it with new events as they appear on disk. To enable indexed real-time search as the default behavior for your real-time searches, edit the limits.conf stanza called realtime and set indexed_realtime_use_by_default = true. Indexed real-time search is used when up-to-the-second accuracy is not needed. The results returned by indexed real-time search will always lag behind a real-time search. You can control the number of seconds of lag with the indexed_realtime_disk_sync_delay = setting. By default, this delay is 60 seconds.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...