Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining historical and realtime searches

dwaddle
SplunkTrust
SplunkTrust
‎06-15-2010 05:37 AM

Is there any way to combine historical and realtime searches into a single search?

For example, I'd like to be able to search starting at (say) earliest=-5m@m and continue realtime into the future @ 1m increments.

The goal is to get a little context in your real time searches with what might have happened just before starting it.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Yancy
Path Finder
‎02-01-2012 09:27 AM

This is now available as of Splunk 4.3

http://docs.splunk.com/Documentation/Splunk/4.3/User/RealtimeSearch#Real-time_backfill

Reply
Solved! Jump to solution

klee310
Communicator
‎05-02-2011 05:40 AM

is there any news in this regard?

0 Karma
Reply
Solved! Jump to solution

Yancy
Path Finder
‎06-15-2010 07:02 PM

AFAIK, no. See: http://www.splunk.com/base/Documentation/latest/User/RealtimeSearch#Expected_performance_and_known_l...

But, that makes me wonder if you could combine results from a historical sub-search into a real-time search. Seems like it should be possible.

Reply
Solved! Jump to solution

Jason
Motivator
‎11-16-2010 04:11 AM

Same here, I have had a LOT of clients ask about it. I end up having to create two graphs next to each other on a dashboard, one backward-looking, one forward-looking, if they don't plan on keeping the dashboard open longer than the range of the realtime search. (If they do, once events expire off the end of the realtime search, a gap in time will grow between the historical graph and the realtime. In that case I say just leave the realtime graph open and let it populate.)

0 Karma
Reply
Solved! Jump to solution

zscgeek
Path Finder
‎07-24-2010 02:50 PM

I would love to see this as well.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-17-2010 09:57 PM

Anyone have an idea on when this kind of feature could become available? This seems like a very natural type of request to me that would be very beneficial to a lot of users.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎06-15-2010 07:15 PM

Yup, there it is in the docs - "However, you cannot run a single search on both real-time data and historical data at the same time. "

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...