That 5 minute window is sliding. It is constantly moving as the search is updated every second or so. Read http://docs.splunk.com/Documentation/Splunk/6.0/Search/Aboutrealtimesearches#Real-time_search_mechan... for exactly how it works.

OK, but where does that 5 minute window come from, is someone puts "rt" for the start and end times for a schedule search?

It gives you all the results in a sliding window. If you have an active dashboard or if you are waiting for an event to trigger for testing something, a RT search with a 5 minute window might be quite useful. Also, scheduling a RT search means you get instant alert triggers for any conditions that should be met. This means within seconds of the matching criteria being written to the indexes, an alert is fired. Most people don't need anything better than a scheduled search running every five minutes or even every minute that looks back that five minutes or single minute, though.

So, here's part II: why would anyone need to do a real-time search? I noticed searches that have a start time and an end time of "rt". What does that bring back? Seems like it would never end...

Don't forget to mark it as answered 🙂

Glad I could help!

AWESOME! Oh, lordy, lordy, lordy, that makes my day.