Splunk Search

Real Time Searches

nikhilmehra79
Path Finder

Any disadvantages if we are running real time searches and alerting using those, currently we are testing few functionalities in Dev/PreProd - but want to pick brain of exp community members if they can point to performance degradation issues if you run real time searches say Every Minute of less - and alert on them, or is better to increase time duration or Schedule searches...please advise.

Tags (1)
0 Karma
1 Solution

linu1988
Champion

Hello Nikhil,
Real-Time searches does require CPU most of the time. But unless necessary you can just schedule them to run every 1 min/2 mins. The real-time alerts definitely works and depends on your server configuration how much it can dedicate for alerts ,dedicated searches for user, scheduled searches. You can take a look in limits.conf for the CPU and search calculations.

View solution in original post

0 Karma

linu1988
Champion

Hello Nikhil,
Real-Time searches does require CPU most of the time. But unless necessary you can just schedule them to run every 1 min/2 mins. The real-time alerts definitely works and depends on your server configuration how much it can dedicate for alerts ,dedicated searches for user, scheduled searches. You can take a look in limits.conf for the CPU and search calculations.

0 Karma

nikhilmehra79
Path Finder

Thanks...so i am assuming advisable will be to schedule searches every 5-15 minutes etc (depend on your need as against doing same using Real time searches)

0 Karma
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...