The problem with the goal of wanting to see the events while run in batch mode is that the batch mode execution path cannot produce the events in time-order. That would make reviewing the event stream of the search extremely confusing in some cases, and would break our general contract in any event.
That said, there's a useful Enhancement Request in here somewhere, but I'm not sure what it is exactly. Maybe something like "we want the efficiency of batch mode searches for alerting, but .... we want to see the events." I'm not sure if that's "sometimes while troubleshooting, or "in the case the alert actually fires" or what. Basically the interface has to be usable and it has to work out to somehow be cheaper than not running the search in batch mode in the first place.
... View more