I have a stream of events coming continuously, but with lag from the source which varies from 5 to 15 mins.
I want to run real-time searches based on these events, so I use rt-15m. But after search, I need to send email alerts based on search results. Problem is that in alerting settings, I can't set rt-15m, only rt.
How can I set up alerts to run in earliest=rt-30m latest=rt-15m time frame?
The fixed latest time range value for any real-time search is "now", so it has to be rt only.(that way only it can have a sliding window for past so and so period). For your case, the lag varies from 5 to 15 mins and if you just use the rt-30m to rt, you should get all the events anyways.
Also, consider using a regular search running more frequenly as the real-time searches are expensive and should be avoided, if possible.