Windowed real-time versus all-time real-time searches

When designing your searches, it's important to keep in mind that there is a difference between Splunk real-time searches that take place within a set window (like 30 seconds or 1 minute) and real-time searches that are set to All time.

In windowed real-time searches, the events in the search can disappear as they fall outside of the window, and events that are newer than the time the search job was created can appear in the window when they occur.

In all-time real-time searches, the window spans all of your events, so events do not disappear once they appear in the window. But events that are newer than the time the search job was created can appear in the window as they occur.

In comparison, in historical searches, events never disappear from within the set range of time that you are searching and the latest event is always earlier than the job creation time (with the exception of searches that include events that have future-dated timestamps).