Understand Fixed-time versus Real-time Searches

Search results can be based on a fixed time range or stream in real time as new events match the search query.

Fixed-time Searches

A fixed-time search receives results based on a fixed time range, such as having fixed start and end values. For example, 10:00 AM to 10:00 PM on May 29. The search also can use dynamic dates, such as last 30 minutes or the last 24 hours. However, after the system retrieves the search results, Search does not update the dataset again. To receive more recent events, you might have to reconfigure the end time if using specific end time and re-run the search.

Real-time Searches

A real-time search constantly updates the results of your query, starting from a beginning range, such as Last 30 Minutes. As long as there is data to satisfy the query, the data in the Events Table continues to build. Real-time search requires the Real-time Threat Detection service in the ArcSight SaaS environment.

Real-time searches act like session searches; their expiration time depends upon what you have in user preferences for "Session Search expires in" when the real-time search was created.

Options for creating searches: