Rrealtime_schedule in SavedSearches.conf, is this ...

Dark_Ichigo · ‎06-05-2013

I would like the savedsearch to run in real time, basically populate the saved search I have set in savedsearches.conf to be populated in realtime as more and more data gets forwarded to the raw index.

Is the realtime_schedule = [0|1] I find in the savedsearches.conf what I'm looking for in this case?, I have read the config template about it here, but more real life information about what to expect from this would be great!

the_wolverine · ‎08-05-2015

No, this does not determine whether your scheduled search runs in realtime. Per the saved searches.conf.spec:

realtime_schedule = [0|1]
* Controls the way the scheduler computes the next execution time of a scheduled search.
* If this value is set to 1, the scheduler bases its determination of the next scheduled search
execution time on the current time.
* If this value is set to 0, the scheduler bases its determination of the next scheduled search
on the last search execution time. This is called continuous scheduling.
** If set to 1, the scheduler might skip some execution periods to make sure that the scheduler
is executing the searches running over the most recent time range.
If set to 0, the scheduler never skips scheduled execution periods. However, the execution
of the saved search might fall behind depending on the scheduler's load. Use continuous
scheduling whenever you enable the summary index option.**
* The scheduler tries to execute searches that have realtime_schedule set to 1 before it
executes searches that have continuous scheduling (realtime_schedule = 0).
* Defaults to 1

Rrealtime_schedule in SavedSearches.conf, is this what I'm looking for?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!