I've set the
earliest_time: 'rt-7s' and
latest_time: 'rt' and am polling the job's preview regularly for updates.
Thanks in advance!
I am also experiencing the same problem. My results are delayed approximately 30 seconds. Does anyone have a solution?
I've also settled for this way for now. My company is going to submit a support request today or tomorrow, so I'll post back if there's a solution.
There is a setting in limits.conf:
* Should we use the indexedRealtime mode by default
* Precedence: SearchHead
* Defaults to false
This might have the effect of delaying your "real time" search results if it is enabled on your search head.
It's disabled by default, so I doubt this is the OP's problem. And in my case, enabling it makes the delay even longer! But that's somewhat normal I think, since this gets you results only after they've been indexed.
The problem is that the real-time search isn't actually real-time!
Based on @sjohnson's answer, @sk4l's comments, and some research of my own, I've sort of figured out what's going on in my environment:
indexed_realtime_use_by_defaultin limits.conf was
indexed_realtime_disk_sync_delaywhich was not set, which means that it was using the default delay of 60 seconds (which is why I saw the 60 second delay I mentioned in the original post).
My use case was to see data over the past couple of seconds as it comes in, so doing a non-indexed search could be an acceptable solution in my case.