Splunk Search

Indexed Real Time Search

bwalden_splunk
Splunk Employee
Splunk Employee

Some questions about indexed rt (http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Aboutrealtimesearches#Indexed_real-time_sea...) apparently i can't post a link--so search for indexed realtime at splunk docs if you don't know what it is.

  1. the docs says setting indexed_realtime_use_by_default = true sets indexed rt to be the "default" behavior. if this is enabled, is there still a way I can run "normal", pre-indexer rt searches, perhaps with some search argument or command?
  2. is there a way to make indexed rt the default for a role, but allow other roles to use normal rt?
  3. are there any guidelines on best practices for setting indexed_realtime_default_span?

thanks,
bw

Tags (1)

tsteens
Explorer

You can define this on a savedserach. In savedsearches.conf add (under the stanza for your search):
dispatch.indexedRealtime =
* Specifies whether to use indexed-realtime mode when doing realtime searches.
* Defaults to false

As far as I know you can not do this per role.

Ref:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Savedsearchesconf

0 Karma

masonmorales
Influencer

the docs says setting
indexed_realtime_use_by_default = true
sets indexed rt to be the "default"
behavior. if this is enabled, is there
still a way I can run "normal",
pre-indexer rt searches, perhaps with
some search argument or command?

Not that I'm aware of. I believe it's only one or the other.

is there a way to make indexed rt the
default for a role, but allow other
roles to use normal rt?

I'm not aware of a way to apply limits.conf parameters to specific roles. I'm not seeing anything about that in its documentation either (http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Limitsconf ).

are there any guidelines on best
practices for setting
indexed_realtime_default_span?

None that I can find. If you don't mind me asking, what is your use case? Best practice is actually to use scheduled searches over real-time searches because real-time searches require a dedicated core.

bwalden_splunk
Splunk Employee
Splunk Employee

the use case is speculative, but I can imagine a customer who likes the resource-saving abilities of indexed realtime, but would like the ability to override it when needed. the default 60 second delay does not go over well with folks running an operations center and wanting an alert to fire as close to realtime as possible. So they'd desire the ability to run "real" realtime searches if needed.

0 Karma

masonmorales
Influencer

Understandable, but you can't schedule a search in Splunk to run more frequently than once every 60 seconds, and best practices suggest that you wouldn't want to. See: http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Definescheduledalerts#Best_practices_for_sch...

With that aside, you could probably write a custom script that runs a search over the API however frequently you want.

If you really want real-time searches, you can run them, but keep in mind that each real-time search consumes 1 CPU core.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...