Some questions about indexed rt (http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Aboutrealtimesearches#Indexed_real-time_sea...) apparently i can't post a link--so search for indexed realtime at splunk docs if you don't know what it is.
thanks,
bw
You can define this on a savedserach. In savedsearches.conf add (under the stanza for your search):
dispatch.indexedRealtime =
* Specifies whether to use indexed-realtime mode when doing realtime searches.
* Defaults to false
As far as I know you can not do this per role.
Ref:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Savedsearchesconf
the docs says setting
indexed_realtime_use_by_default = true
sets indexed rt to be the "default"
behavior. if this is enabled, is there
still a way I can run "normal",
pre-indexer rt searches, perhaps with
some search argument or command?
Not that I'm aware of. I believe it's only one or the other.
is there a way to make indexed rt the
default for a role, but allow other
roles to use normal rt?
I'm not aware of a way to apply limits.conf parameters to specific roles. I'm not seeing anything about that in its documentation either (http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Limitsconf ).
are there any guidelines on best
practices for setting
indexed_realtime_default_span?
None that I can find. If you don't mind me asking, what is your use case? Best practice is actually to use scheduled searches over real-time searches because real-time searches require a dedicated core.
the use case is speculative, but I can imagine a customer who likes the resource-saving abilities of indexed realtime, but would like the ability to override it when needed. the default 60 second delay does not go over well with folks running an operations center and wanting an alert to fire as close to realtime as possible. So they'd desire the ability to run "real" realtime searches if needed.
Understandable, but you can't schedule a search in Splunk to run more frequently than once every 60 seconds, and best practices suggest that you wouldn't want to. See: http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Definescheduledalerts#Best_practices_for_sch...
With that aside, you could probably write a custom script that runs a search over the API however frequently you want.
If you really want real-time searches, you can run them, but keep in mind that each real-time search consumes 1 CPU core.