|
If I have a bunch of saved searches I run hourly, what should I consider before switching any or all of them to real time searches (with Splunk 4.1)? |
|
In 4.1 we provide real time search that will operate on the live stream of data prior to being indexed. For real time searches there is no notion of running on a schedule - they are either running or not. When running they will stream results to the UI, through the cli, or over the REST endpoint. Typically you would use a scheduled search for alerting or to populate a summary index. At least for the first 4.1 releases we suggest that you stay with a scheduled search for alerting or populating a summary and use real time searches on dashboards and when watching the results of a search. A good starting point would be to clone some of your scheduled searches and try changing the time range picker to real time and see what the real time stream looks like. |
|
I think the simple answer is that we don't yet have real-time search based alerting, so probably most of your existing searches will want to stay as-is. However, there are some searches which might be useful more as an investigative realtime search than a periodically generated report, etc. But that would be highly specific to the searches and the user stories. |
