Splunk Enterprise

Realtime search is very slow

sushildabare
Path Finder

When we perform All time search we get the results very quickly.
But when we search by selecting Realtime(30seconds, 1 minutes, 60 minutes etc) search is very very slow,
Is there any setting in splunk which we can set to improve this search response time for Real time searches?

Thanks|

Tags (2)
0 Karma
1 Solution

sdwilkerson
Contributor

Sushildabare,

I agree with Ayn's comment, that a realtime search should show events in realtime. Perhaps there are bad time (or timezone) in your data?

Choose "Real Time > All time (real-time)" entry in the TimeRangePicker pulldown" instead of one of the realtime intervals. This should show you data on the screen AS it is received. Examine your timeline. Are the times current?

If the data is the volume you expected, but the times/dates are off, then that is the answer to your problem. Of course, the you would have a new problem, which is to fix the time on the source or fix Splunk's interpretation of the time or timezone in props.conf.

Best,
Sean

View solution in original post

BenAveling
Path Finder

As per Sean's answer, real time searches never 'finish'. But they should display all the available results about as quickly as Relative searches. What they don't do is tell you that they have found all the available results - because they are still searching.

This can be particularly confusing if you use Time range picker -> All time (real-time) without realising that it is 'special' - it does not show past events, only events that occur after the search started - you'll see that the number of events matched is only, for eg, "28 of 28 events matched" - 28 is the number of events that have matched since your search started. If you were expecting more results, it can seem that it is slow, when in fact, it has actually finished.

Officially, this is a feature, even though it may not feel like one. See: http://docs.splunk.com/Documentation/Splunk/6.0/Search/Specifyrealtimewindowsinyoursearch#Real-time_...

0 Karma

sdwilkerson
Contributor

Sushildabare,

I agree with Ayn's comment, that a realtime search should show events in realtime. Perhaps there are bad time (or timezone) in your data?

Choose "Real Time > All time (real-time)" entry in the TimeRangePicker pulldown" instead of one of the realtime intervals. This should show you data on the screen AS it is received. Examine your timeline. Are the times current?

If the data is the volume you expected, but the times/dates are off, then that is the answer to your problem. Of course, the you would have a new problem, which is to fix the time on the source or fix Splunk's interpretation of the time or timezone in props.conf.

Best,
Sean

sushildabare
Path Finder

Thanks Ayn and Sean for your inputs, I completely agree with Ayn, realtime searching events will be shown as they arrive in realtime.

0 Karma

Ayn
Legend

When you do realtime searching events will be shown as they arrive in realtime. How have you come to the conclusion that the search is slow? Do you know that events are arriving in a much higher rate than they are shown in the interface?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...