Solved: Re: Non-windowed realtime search

mexa · ‎03-10-2014

On page 62 of the Splunk Search manual, it mentions that: "Windowed real-time searches are more expensive than non-windowed." And: "If your windowed search does not display the expected number of events, try a non-windowed search."

From what I understand, when you specify a time range in the Realtime search query, that makes it a "windowed" search. How do I run a non-windowed search in that case? I am simply interested in reading the newest events coming into the system, without doing any buffering on the server side. I am using the Java SDK for this.

Cheers

martin_mueller · ‎03-11-2014

You'll get a non-windowed realtime search by setting earliest_time=rt and latest_time=rt.

View solution in original post

martin_mueller · ‎03-11-2014

You'll get a non-windowed realtime search by setting earliest_time=rt and latest_time=rt.

martin_mueller · ‎03-12-2014

There is a realtime_buffer of 10000 defined in http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/limitsconf - I'm not sure if that's relevant for you though because that setting mentions splunkweb. There's also a queue_size of 10000, maybe more.

mexa · ‎03-11-2014

Thanks Martin. Do you know if there is a rate limit for the number of events forwarded to a realtime query?

Non-windowed realtime search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases