Hi everyone,

I'm currently testing a migration from Splunk 7.2.6 to Splunk 8.1.3.

I'm using a realtime search (indexed realtime search to be precise) that is lookup on all my events to look which events have a specific field. This  specific is added thanks to an automatic lookup.

I don't have any issue on Splunk 7.2.6 but now I'm stuck with a weird behavior. When I'm running my realtime search, it's like it's having its own context about eventtypes and automatic lookup because if I add new items to my automatic lookup (which by the way is a KVStore), these items are not identified in the logs. Similarly with eventtypes, if I add an eventtype on specific events, if the real-time search identifies one of these events, I don't see the new eventtype.
I tried to modify/remove entries from my automatic lookup and add/modify/remove eventtypes without restarting the realtime search and what appears is that the realtime search never updates with this modified information (automatic lookup or eventtype).

If I restart the real time search, the changes are taken into account (which validates this "context" hypothesis)

From what I have read here (https://docs.splunk.com/Documentation/Splunk/8.1.3/Search/Aboutrealtimesearches), I understand that indexed real-time searches are like standard searches but put together :

This runs searches like historical searches, but also continually updates the search with new events as the events appear on disk. 

So if it's working like that, the context should be updated after a few moment but it's not the case ...

Can someone help me on this issue ? Is it something possible ? Do I have to setup some configuration parameters on my settings files ?

Thank you