Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Querying a Real Time search

atreece
Path Finder
‎02-16-2012 01:45 PM

I am trying to make an external dashboard for splunk that needs to be real time. At the moment, all we can do is make a script on our end to resend the search every so often and refresh the page for the new results.
What I want to know, however, is if there is a way to query splunk to make a real time search.
In other words, can a real time search be executed from some syntax in the search string? Without using the time range picker whatsoever?

EDIT: I have tried to use "earliest=rt-10m latest=rt" but got an error saying: Invalid value "rt-5m" for time term 'earliest'

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 08:46 AM

Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:

foobar=fizbaz earliest=rt-5 latest=rt

UPDATE: I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 08:46 AM

Do you mean using real-time specifiers in the search string? This would give you a 5 minute real time window:

foobar=fizbaz earliest=rt-5 latest=rt

UPDATE: I asked the experts SS and Dr. Z, and this is expected behavior. Real-time search can only be set at the API level, such as time-range picker does, and not via the search string. Who knew?

Reply
Solved! Jump to solution

mindtouch_adria
Explorer
‎10-02-2016 10:30 PM

Thank you for the helpful answer. If Real-time search can only be set at the API level, what is a good example to do this? I am using the Python SDK and I would like to find a way to setup Real-time search. I am starting with the "search.py" example.

Thank you

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-03-2016 12:21 PM

This should really be an independent question, though probably this answer should link to that information.

When interacting at the api level, the client has an explicitly choice of the first command, and can select rtsearch instead of search. However, you'll have to select different values for et / lt typically, such as the above discussed rt-5m.

0 Karma
Reply
Solved! Jump to solution

mindtouch_adria
Explorer
‎10-03-2016 03:09 PM

Ok, thanks jrodman. I'll create a new question.

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 11:37 AM

ok, thank you

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 11:26 AM

See my updated post above.

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 11:02 AM

I get the same for "rt-5"

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 11:01 AM

Invalid value "rt-5m" for time term 'earliest'

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎02-21-2012 10:57 AM

What is the error that you receive?

0 Karma
Reply
Solved! Jump to solution

atreece
Path Finder
‎02-21-2012 10:39 AM

That's exactly what I thought should work, but when I tried it, I got an error.
Is there an additional parameter I need? or would this involve the config files?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...