Splunk Search

Switching saved, scheduled searches to real time

SteveS
Splunk Employee
Splunk Employee

If I have a bunch of saved searches I run hourly, what should I consider before switching any or all of them to real time searches (with Splunk 4.1)?

2 Solutions

Erik_Swan
Splunk Employee
Splunk Employee

In 4.1 we provide real time search that will operate on the live stream of data prior to being indexed. For real time searches there is no notion of running on a schedule - they are either running or not. When running they will stream results to the UI, through the cli, or over the REST endpoint.

Typically you would use a scheduled search for alerting or to populate a summary index. At least for the first 4.1 releases we suggest that you stay with a scheduled search for alerting or populating a summary and use real time searches on dashboards and when watching the results of a search.

A good starting point would be to clone some of your scheduled searches and try changing the time range picker to real time and see what the real time stream looks like.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

I think the simple answer is that we don't yet have real-time search based alerting, so probably most of your existing searches will want to stay as-is. However, there are some searches which might be useful more as an investigative realtime search than a periodically generated report, etc. But that would be highly specific to the searches and the user stories.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

I think the simple answer is that we don't yet have real-time search based alerting, so probably most of your existing searches will want to stay as-is. However, there are some searches which might be useful more as an investigative realtime search than a periodically generated report, etc. But that would be highly specific to the searches and the user stories.

Erik_Swan
Splunk Employee
Splunk Employee

In 4.1 we provide real time search that will operate on the live stream of data prior to being indexed. For real time searches there is no notion of running on a schedule - they are either running or not. When running they will stream results to the UI, through the cli, or over the REST endpoint.

Typically you would use a scheduled search for alerting or to populate a summary index. At least for the first 4.1 releases we suggest that you stay with a scheduled search for alerting or populating a summary and use real time searches on dashboards and when watching the results of a search.

A good starting point would be to clone some of your scheduled searches and try changing the time range picker to real time and see what the real time stream looks like.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...