rt_md realtime searches?

arpit_arora · ‎02-15-2018

Hello, does anyone what generates realtime searches whose search_id starts with "rt_md"?

I rarely run real time searches but if I look at audit.log, I see a bunch of searches under my username for which is_realtime field is set to 1. Also their search_ids begin with "rt_md".

However if I do run a real time search and look for it's search_id, it starts only with "rt_".

So what are these searches which I never ran but show up as realtime and their search_ids start with "rt_md"?

aklgo · ‎02-21-2018

Hi Arpit. I have been trying to answer the same question and may have an answer for you.

Unfortunately this naming convention is not documented under Dispatch directory and search artifacts:
https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Search/Dispatchdirectoryandsearchartifacts

However, I found some information on the real-time metadata search in this post. Its a query that is embedded in the search app page which automatically retrieves a user's data:
https://answers.splunk.com/answers/171350/how-to-disable-real-time-searches-that-run-when-lo.html

I hope this helps!!

arpit_arora · ‎02-15-2018

For example, here's a search_id and related search string.

'rt_md_1518568804.651085_0B533784-8A3E-4E74-B06C-8A3951E1D576'
'| metadata type=sourcetypes | search totalCount > 0'

I think "rt_md" stands for real time meta data search.

What is the nature of such searches?

rt_md realtime searches?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!