If I want to run for realtime search, but my machine does not support, how to save the resource of the system?
The closest you can get is to schedule a search every minute that looks at earliest=-1m@m latest=-0m@m
to iterate over the previous minute. Worst case your results are about a minute lagged from the events.
The closest you can get is to schedule a search every minute that looks at earliest=-1m@m latest=-0m@m
to iterate over the previous minute. Worst case your results are about a minute lagged from the events.
Thank you jtrucks ! because we require data accuracy and high safety, all I want to know Splunk high availability is how to achieve, what is the internal mechanism, how in the optimal conditions, the realization of these?