Real-time searches and reports in the CLI

To run a real-time search in the CLI, replace the command "search" with "rtsearch": 


     ./splunk rtsearch 'eventtype=pageview'

Use the highlight command to emphasize terms in your search results. The following example highlights "GET" in your page view events: 


     ./splunk rtsearch 'eventtype=pageview | highlight GET'

By default, search results have line wrapping enabled. Use the -wrap option to turn off line wrapping: 


     ./splunk rtsearch 'eventtype=pageview' -wrap 0

Real-time reports in the CLI will also display in preview mode and update as the data streams in. 


      ./splunk rtsearch 'error | top clientip'

Use the -preview option to suppress the results preview: 


      ./splunk rtsearch 'error | top clientip' -preview false

If you turn off preview, you can still manage (Save, Pause, Finalize, or Delete) the search from the Jobs page in Splunk Web. After you finalize the search, the report table will display. For more information, see "Supervise jobs with the Jobs page" in this manual.

To run a windowed real-time search, use the earliest_time and latest_time parameters. Real-time parameter values must be enclosed in single quotation marks. 


      rtsearch 'index=_internal' -earliest_time 'rt-30s'  -latest_time 'rt+30s'

Note: Real-time searches can only be set at the API level, so the search does not run if you try to specify the time range modifiers within the search string. The earliest_time and latest_time parameters should set the same-name arguments in the REST API.
See Search endpoint descriptions. Then navigate to search/jobs, under POST click Expand, and locate search_mode.

You can view all CLI commands by accessing the CLI help reference. For more information, see "Get help with the CLI" in this manual.