Add basic RT search support

[mleonh]

Adds initial support for real-time searches (#6)

• Use ':rt query' to start a real-time search
  • New events should be printed as they arrive
• The repl can be used while rt search is ongoing – prompt indicates a running rt search
• Starting a second rt search stops the first one
• Use ':exit' to end a running rt search

Open questions:

• Not sure about using :exit to end real-time query, introduce separate command?
• Abillity to use repl while rt search is running can be confusing (new events are printed while typing a command)
• New events are output as chunks, which could be improved, e.g. json output should be [{},{},{}] instead of (invalid) [{},{}][{},{},{}] – similar for tables. not an issue with regular output
• Had to change prompt/repl eval handling a bit – possible issue? what was the original motivation behind the --hosted flag?
• Tell splunk sdk to discard search results at some point (if possible) – otherwise this is a memory black hole?

[glennblock]

Thank you for this Martin! I am slammed right now with .conf next week, but I'll look into this.

In the meanwhile, can you fill out our CLA here: http://www.splunk.com/goto/contributions?

[glennblock]

Some quick thoughts

• The --hosted flag is for hosting in Sublime Text via Sublime REPL. I found relying on the default prompt handling didn't work right / caused duplicate prompts. I suspect the behavior is the same for hosting in other environments.
• :rt looks fine to me as a command for RT queries.
• Agreed that streaming in between as users are typing is weird, and I'd go further and say not desired. I'd prefer if by default RT would block and just let you monitor stuff as it comes in. You can always open another terminal instance to do something else while it streams.
• For stopping RT, if you go with blocking, you could make that as simple as when a key is pressed. Or you could prompt when the user hits a key to ask the to stop the query.

I haven't looked yet at how you are doing the RT query with the SDK, but I'll take a look at everything.

Also I'll be creating a develop branch you can submit your PR to.

[mleonh]

Updated this to block on RT searches until any key is pressed.

[glennblock]

Tested it out, looks great. Just looking through the code now. Thanks for your patience.

[glennblock]

I don't think this is needed anymore as the realtime search exits before you get to the cmd prompt with your last change right?