I have gone through the Splunk Docs. It's saying that real-time search is basically used to search events before they get indexed. However, I need a few clarifications on this one below.
RT search processes un-indexed data. So, how could it identify the both index-time and search-time fields? Will it process the field extractions once it finds a match in incoming events?
The data is not indexed yet. So how it could look for its sourcetype, source, and host since all are index-time only?
Could someone explain in detail?
Thanks in advance
You are correct in that real-time searches grab the data before it hits the index queue, however real-time searches do have access to search time field extractions which happen in the parsing queue.
When events reach splunk, it goes thru different stages/pipeline which is explained detailed here
http://docs.splunk.com/Documentation/Splunk/6.2.0/Deploy/Datapipeline
Also look at http://wiki.splunk.com/Community:HowIndexingWorks
A good read about real time searches are
http://docs.splunk.com/Documentation/Splunk/6.1/Search/Aboutrealtimesearches
http://docs.splunk.com/Documentation/Splunk/6.1/Search/RealtimesearchesandreportsinSplunkWeb