Splunk Search

Switching saved, scheduled searches to real time

SteveS
Splunk Employee
Splunk Employee

If I have a bunch of saved searches I run hourly, what should I consider before switching any or all of them to real time searches (with Splunk 4.1)?

2 Solutions

Erik_Swan
Splunk Employee
Splunk Employee

In 4.1 we provide real time search that will operate on the live stream of data prior to being indexed. For real time searches there is no notion of running on a schedule - they are either running or not. When running they will stream results to the UI, through the cli, or over the REST endpoint.

Typically you would use a scheduled search for alerting or to populate a summary index. At least for the first 4.1 releases we suggest that you stay with a scheduled search for alerting or populating a summary and use real time searches on dashboards and when watching the results of a search.

A good starting point would be to clone some of your scheduled searches and try changing the time range picker to real time and see what the real time stream looks like.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

I think the simple answer is that we don't yet have real-time search based alerting, so probably most of your existing searches will want to stay as-is. However, there are some searches which might be useful more as an investigative realtime search than a periodically generated report, etc. But that would be highly specific to the searches and the user stories.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

I think the simple answer is that we don't yet have real-time search based alerting, so probably most of your existing searches will want to stay as-is. However, there are some searches which might be useful more as an investigative realtime search than a periodically generated report, etc. But that would be highly specific to the searches and the user stories.

Erik_Swan
Splunk Employee
Splunk Employee

In 4.1 we provide real time search that will operate on the live stream of data prior to being indexed. For real time searches there is no notion of running on a schedule - they are either running or not. When running they will stream results to the UI, through the cli, or over the REST endpoint.

Typically you would use a scheduled search for alerting or to populate a summary index. At least for the first 4.1 releases we suggest that you stay with a scheduled search for alerting or populating a summary and use real time searches on dashboards and when watching the results of a search.

A good starting point would be to clone some of your scheduled searches and try changing the time range picker to real time and see what the real time stream looks like.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...