Real-time V/s Historical searches and Reports: Splunk supports real-time & historical all kinds of searches, & in this post, we will discuss Splunk-search Time-frames.

About real-time searches & reports

When one moves for real-time searches & reports, one can search events before they become indexed  into Splunk & preview reports as events pour in.

When using real-time reports and searches

You have an option to design alerts depending on real-time searches which keep running continuously in the background. The real-time alert offers timelier notifications compared to alerts that are based on planned reports.

One can even utilize real-time search results & reports on dashboards.

Note that an increased number of concurrent real-time searches greatly affect the indexing performance of one’s Splunk instance(s). To prevent this limitation and negative performance effects at the indexer, one can allow indexed real-time searches. By default, Splunk enables users with Admin roles to run & save real-time searches.

How does Real-time search operate?

Splunk Real-time-searches scan incoming occasions for indexing. Scan searches for events that have index-time fields which indicate events could match for a search.

Several matching events can fluctuate down or up over time as search finds matching events at a slower or faster rate. When real-time search operates, Splunk to gets actual events occasionally evaluates one’s search criteria within the sliding time-range window that you’ve defined for search.

An example of a real-time search has a one-minute time range window for one’s reference. At point that screenshot was captured, the search scanned a maximum of two hundred and ninety eight events since it’s launched. Matching-event count of 218 signifies several events-matching search criteria that were recognized at the last minute. 

As seen the newest events appear at the right-hand side of this timeline. As time passes, the events move left up to when the events move off the left-hand side, vanishing from the time-range window wholly. Real-time search needs to continue operating until when you or another user halts the search or cancels the search task. Real-time search shouldn’t “time-out” for every other reason.

Splunk Real-time searches come with the advantage of more search functionalities which include improved ones like lookups, transactions & so on. There are other search commands which are to be utilized especially in conjunction with real-time searches including streamstats.

Indexed real-time search

As stated earlier real-times searches harm performance. A solution to this is enabling indexed real-time search, which operates the searches including historical searches, though continually updates search with new events as events appear at the disk.

Remember to use indexed real-time search only the time you don’t require up-to-the-second accurateness.

Indexed real-time search can be enabled by users having file-system accesses, including system administrators.

The sync-delay lag-time

Remember, that results returned by indexed real-time search will lag behind a real-time search. It’s made into indexed-real-time searches is a synchronizing delay. Sync delay is a safety measure that ensures none of your information is missed.

Reasons why your data will not appear on disk in indexed order.

  • Splunk utilizes more threads for indexing concurrently
  • Sync-delay ordering on one’s operating system

An indexed-real-time recalls the latest indexed-event that’s returned for a current iteration of the time-range window. This event is utilized as a start point for the next iteration of the time-range window. Just in case sync delay isn’t imposed, some of your events before the latest event may not be searchable yet, & can be neglected due to continuous shifting time-frame.

One can control number of sec of synchronized delay-lag-time with setting  

Automatically, this delay is set to be 60 seconds.

Historical Searches & Reports

Historical search has a different time range, like the past hour, the previous day, or a period between 2 dates. Moreover, historical searches are utilized to review information in past, but they can be set to review events with the future-dated timestamps. This depends upon information data at your index.

