Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining historical and realtime searches

dwaddle
SplunkTrust
SplunkTrust
‎06-15-2010 05:37 AM

Is there any way to combine historical and realtime searches into a single search?

For example, I'd like to be able to search starting at (say) earliest=-5m@m and continue realtime into the future @ 1m increments.

The goal is to get a little context in your real time searches with what might have happened just before starting it.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Yancy
Path Finder
‎02-01-2012 09:27 AM

This is now available as of Splunk 4.3

http://docs.splunk.com/Documentation/Splunk/4.3/User/RealtimeSearch#Real-time_backfill

Reply
Solved! Jump to solution

klee310
Communicator
‎05-02-2011 05:40 AM

is there any news in this regard?

0 Karma
Reply
Solved! Jump to solution

Yancy
Path Finder
‎06-15-2010 07:02 PM

AFAIK, no. See: http://www.splunk.com/base/Documentation/latest/User/RealtimeSearch#Expected_performance_and_known_l...

But, that makes me wonder if you could combine results from a historical sub-search into a real-time search. Seems like it should be possible.

Reply
Solved! Jump to solution

Jason
Motivator
‎11-16-2010 04:11 AM

Same here, I have had a LOT of clients ask about it. I end up having to create two graphs next to each other on a dashboard, one backward-looking, one forward-looking, if they don't plan on keeping the dashboard open longer than the range of the realtime search. (If they do, once events expire off the end of the realtime search, a gap in time will grow between the historical graph and the realtime. In that case I say just leave the realtime graph open and let it populate.)

0 Karma
Reply
Solved! Jump to solution

zscgeek
Path Finder
‎07-24-2010 02:50 PM

I would love to see this as well.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-17-2010 09:57 PM

Anyone have an idea on when this kind of feature could become available? This seems like a very natural type of request to me that would be very beneficial to a lot of users.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎06-15-2010 07:15 PM

Yup, there it is in the docs - "However, you cannot run a single search on both real-time data and historical data at the same time. "

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...