Elasticsearch is Near real-time. I just wonder when it comes to observability(and security), does NRT means that I can't get insight instantly when my cluster is hacked very quickly? E.g. I got hacked and this event data is in translog therefore I can't search for it.
I got the idea after I installed MySQL filebeats and didn't get errorlog instantly
What was the delay? How many time has passed between the event and the data being available to search on Elasticsearch?
Elasticsearch can be near real-time, you can have the data available to search pretty quickly, but this depends on a couple of factors as you can have delays in many other places that are not managed by Elasticsearch but can impact on it.
For example, if you have filebeat reading a file, per default and not considering any other issues, the event can take around 30 seconds to be available for search, but it can also be available in less time.
Really helpful. And does NRT matter when it comes to security scenes? Is elastic SIEM & XDR can detect threats in real-time?