I am having an issue querying with real time search with sliding window.
Using the query: index=main source="Perfmon:CPU Load"
With the real time window view (1 minute window), I get a number of events in the initial result, but then they all slide off as the window moves forward in time. The query returns the correct back filled data.
- When I define All time(real-time) - I get new events streaming in.
- When I use the same query in normal query mode, I see that they have been indexed during the time of this query.
- No matter what window definition I use, I never stream in new results.
- I upgraded from 5.0.2, where it was also not working.
Any ideas on how to attack this problem?
I am using VMWare: OS: Windows Server 2008 R2 Standard 64 bit Splunk: 5.0.3 Enterprise license