Real-time

The custom Real-time option gives you the ability to set the start time for your real-time time range window. Keep in mind that the search time ranges for historical searches are set at the time at which the search runs. With real-time searches, the time ranges are constantly updating and the results accumulate from the beginning of your search.

You can also specify a time range that represents a sliding window of data, for example, the last 30 seconds.

When you specify a sliding window, Splunk takes that amount of time to accumulate data. For example, if your sliding window is 5 minutes, you will not start to see data until after the first 5 minutes have passed: