I haven’t run into any lag with the test rule function. The same query logic over the same time range should produce the same results.

The 2 main things I run into which causes a difference from UDM search and test rules is either a mis matched time range between the two, or a difference caused by UDM search defaulting to ‘nocase’ and the detection requiring individual fields be marked nocase.

There is a small latency on the pipeline used for Rules Engine.  If you go to your Rules Dashboard tab you should see a `Data freshness` value which gives you an indicator of the latency at that moment in time, and that latency, and you can also infer this based on the last available timestamp for Rule Test time range picker.

For rule development and testing I would recommend you don’t focus on near realtime logs if you need to evaluate and compare against a baseline of data from UDM Search.

What variables impact data freshness?

I'm not aware it’s officially documented but there are multiple enrichment pipelines that are used in the platform, e.g,. pipelines that apply user or asset enrichment, process aliasing, geo-ip enrichment, etc… within the rules engine one taking longer to be applied than in the UDM Search pipeline.  The plan is that the Rules Engine one will be reduced in latency in the next few months and you should see lower time, but to the original question, unless you need to test against real time logs it’s best to choose  end end time of -1 hour in both rules and search and then (other than if you have late arriving data) you will get more consistent results for rule development and validation