Hi,
I am trying to set up a realtime search which is running 24/7 but without having a dashboard attached to it. The reason for this is that I would like to retrieve data periodically using the REST API.
How do I go about getting a real time search to run indefinitely?
Thanks in advance.
If you put a real-time search into a dahsboard panel and save the panel in a dashboard, the search should run forever.
Alternatively try save your real-time search and scheduling the search to run every hour. I suspect that it will only run once (but check after an hour) and when your search head (or service) restarts, within an hour, the search should be running again.
Per your comments on cusello's answer below, can we step back a second and make sure we're all trying to answer the question that needs answering? There seems to be a bit more under the hood that it might appear at first glance.
What did you mean by "runs too slowly to be scheduled" - just the lag is deemed to great if it runs once per minute?
What did you mean by "retrieve data periodically"? Periodically != RT.
How do those two things fit together? Periodically retrieve RT information? Why not just retrieve up to date information at the time you bang into the REST API?
If you could more fully describe the situation, perhaps we'll be able to come up with better, more complete solutions.
Thanks!
Hi rich7177,
The results of the query are required every minute, however, the search takes around 10 minutes to complete.
There will be over 50 clients of this search which require the results via the REST API. Each client will poll Splunk every minute which, even if the search was quicker, would mean 50 searches a minute.
I thought a better way to do it would be to run a search in real time and then have the clients poll Splunk for the latest result seat from the search.
Thanks in advance,
Just start it and select Send Job to Background
item in the Jobs
menu under the timeline on the right side.
Hi Woodock,
The 'Send Job to Background' button is greyed out.
Try to execute the same search using a scheduled report or a realtime alert!
what do you want to extract with the search?
Bye.
Giuseppe
Hi Guiseppe,
The report is quite heavy and takes some time to run. Scheduling the report will no provide results fast enough for our requirements.
I have set the search up as a real time alert but am unable to extract the results from this.
I am trying to extract the entire result of the search with the REST calls.
Thanks