I have some Windows perfmon events being indexed every 60s. When I perform a 15min historical search I see all the events that I expect to see (15 events in total). However, If I perform a 15m Real Time search (rt-15m) I see the 15 past events as expected but I then do NOT see any new events that come in.
Every minute an event drops out of the results list as the 15m window slides to the current time, but no new events appear.
Splunk version: 5.0.2 Search: index=perfmon host=<servername> object=Processor counter="% Processor Time"
I am using the time picker to specify the search windows.