Windowed Real Time: uses earliesttime=rt-1 latesttime=rt
Non Windowed Real Time: earliesttime=rt latesttime=rt
Let me share my experience so far on this matter:
They can be compared with these parameters:
1.cpu 2.ram 3. diskspace 4. #events 5. querytime 6. overhead
Windowed RT
cpu-fraction of core per search as above
events-Query returns mostly fixed number of events, with some marginal fluctuation
querytime-mostly the same due to event count
ram-mostly fixed amount with some fluctuations due to above events count
diskspace for query-increasing and can exhaust the disk space quota per user
overheads-Window management overhead
Non Window RT
cpu-fraction of core per search as above
events-Query returns continuously increasing number of events since its all real time and the events continue to increase over time
querytime- as the event counts increases, the query run time also increase due to processing more events
ram-increasing amount of ram consumed as the event count keeps increasing
diskspace for query- same as windowed,increasing and can exhaust the disk space quota per user
overheads-No window management overhead, uses all events in real time
In comparison, Windowed RT preferable even though there is rolling window management overheads due to above plus points. The only minus point is the disk space keeps on increasing and can exhaust the quota. Hence periodically the windowed real time query can be disabled and enabled to clean up the disk space used and start over.
... View more