Is there any way to combine historical and realtime searches into a single search?
For example, I'd like to be able to search starting at (say) earliest=-5m@m and continue realtime into the future @ 1m increments.
The goal is to get a little context in your real time searches with what might have happened just before starting it.
But, that makes me wonder if you could combine results from a historical sub-search into a real-time search. Seems like it should be possible.
Yup, there it is in the docs - "However, you cannot run a single search on both real-time data and historical data at the same time. "
Anyone have an idea on when this kind of feature could become available? This seems like a very natural type of request to me that would be very beneficial to a lot of users.
Same here, I have had a LOT of clients ask about it. I end up having to create two graphs next to each other on a dashboard, one backward-looking, one forward-looking, if they don't plan on keeping the dashboard open longer than the range of the realtime search. (If they do, once events expire off the end of the realtime search, a gap in time will grow between the historical graph and the realtime. In that case I say just leave the realtime graph open and let it populate.)