I am trying to join in some status information in real-time against a static list of data, but getting an error when setting my subsearch to real time: invalid value "rt-1h" for time term 'earliest'
What's going wrong here?
(reason: I have a static list of apps in one index, and need the status from a log line in another. The status might not be there - in that case I have to assume the app is down - so I need the static list of apps to join against.)
Search: (all time, as app listing could be quite old)
index=applisting | table app | join type=outer app [search index=appstatus earliest=rt-1h latest=rt | dedup app | table app status]
From this answer it looks like they're not meant to be used. So how does one kick off a real-time search from the search bar?