In This Article
- The Real-Time Reality Check: Do You Actually Need Sub-Second?
- The Latency Spectrum: Batch, Near-Real-Time, and Streaming
- Real-Time BI Architecture: Four Building Blocks
- Streaming Infrastructure: Event Hubs, Kafka, and Fabric Real-Time Intelligence
- Semantic Model Design for Real-Time: DirectQuery, Import, and Hybrid
- Six Real-Time Analytics Use Cases That Justify the Investment
- Governance for Real-Time: Data Quality at Streaming Speed
- Implementation Approach: Incremental, Not Big Bang
- Go Deeper
The Real-Time Reality Check: Do You Actually Need Sub-Second?
A logistics company's CTO mandates "real-time analytics." The data engineering team builds a streaming pipeline with Apache Kafka, processes events through Azure Stream Analytics, and delivers a dashboard that refreshes every 2 seconds showing package tracking status across 40,000 daily shipments. Cost: $180,000 in engineering effort plus $4,000/month in streaming infrastructure. The operations team reviews the dashboard and asks: we already get package scans every 15 minutes from the carrier API — what decisions change because we see them 2 seconds after the scan instead of 15 minutes? The honest answer: none. The dispatchers make routing decisions in 30-minute windows. The customer service team responds to inquiries within 2 hours. Nobody in the organization makes decisions at 2-second latency. The real-time investment solved a technology problem nobody had.
Real-time analytics creates value when three conditions align: the decision latency (how fast must someone act?) demands the data latency (how fresh must data be?) to be shorter than what batch processing (the cheaper alternative) provides. If the decision can wait 15 minutes, near-real-time (micro-batch every 5-15 minutes) costs a fraction of true streaming and serves the need. If the decision can wait until tomorrow, the nightly batch refresh that's already running is the right answer.
Before building real-time analytics, answer one question: what decision changes if data arrives 10 seconds after the event versus 15 minutes after? If the answer is "none" — and for most enterprise analytics it is — near-real-time or scheduled refresh is the right architecture at a fraction of the cost. Reserve true streaming for decisions where latency directly affects outcomes: fraud detection, algorithmic trading, industrial safety monitoring, and live operations.
The Latency Spectrum: Batch, Near-Real-Time, and Streaming
Data freshness is a spectrum, not a binary. The right architecture matches data latency to decision latency — which varies across the organization. The CFO reviewing monthly financials needs batch (daily refresh is more than sufficient). The operations manager monitoring fulfillment needs near-real-time (15-minute refresh). The fraud analyst reviewing transactions needs streaming (sub-second).
| Pattern | Data Latency | Technology | Cost Profile | When to Use |
|---|---|---|---|---|
| Batch | Hours to daily | Scheduled ETL/ELT, data pipelines | Lowest — runs during off-peak | Strategic decisions, financial reporting, historical analysis |
| Near-Real-Time | 5-30 minutes | Micro-batch, scheduled refresh, change data capture | Moderate — incremental processing | Operational dashboards, inventory updates, SLA monitoring |
| Streaming | Seconds to sub-second | Kafka, Event Hubs, Fabric Real-Time Intelligence, Stream Analytics | Highest — always-on infrastructure | Fraud detection, IoT monitoring, live operations, algorithmic decisions |
Most enterprises need all three patterns operating simultaneously — batch for strategic analytics, near-real-time for operational analytics, streaming for the small number of use cases where latency affects outcomes. The architecture should support the spectrum, not force everything through one pattern.
Real-Time BI Architecture: Four Building Blocks
Real-time analytics architecture has four layers, each with specific technology choices and design considerations.
Event Ingestion
Captures events from source systems as they occur. Azure Event Hubs for Azure-native workloads, Apache Kafka for multi-cloud and on-premises, Amazon Kinesis for AWS-native. The ingestion layer must handle the peak event volume with headroom — an IoT deployment generating 50,000 events/second needs ingestion infrastructure sized for 2-3x peak.
Stream Processing
Transforms raw events into analytical signals. Azure Stream Analytics for SQL-based transformations, Apache Flink for complex event processing, Spark Structured Streaming for integration with the lakehouse. The processing layer handles windowed aggregations (5-minute averages), pattern detection (three failed logins within 60 seconds), and enrichment (joining event data with reference data).
Serving Layer
Makes processed analytics available for consumption. Fabric Real-Time Intelligence (KQL databases) for operational dashboards, Azure Data Explorer for log and telemetry analytics, materialized views in the warehouse for near-real-time BI. The serving layer determines the query performance users experience.
Visualization and Action
Power BI with DirectQuery for near-real-time dashboards, custom dashboards with WebSocket connections for true real-time displays, and automated actions (alerts, triggers, API calls) for decisions that shouldn't wait for a human to look at a dashboard.
Streaming Infrastructure: Event Hubs, Kafka, and Fabric Real-Time Intelligence
The streaming infrastructure choice depends on the existing technology investment, the event volume, and the operational team's capability.
Azure Event Hubs + Stream Analytics is the right choice for Azure-native organizations with moderate event volumes (up to millions of events per second). Fully managed, no cluster operations, SQL-based stream processing. The limitation is processing complexity — Stream Analytics handles windowed aggregations and basic pattern detection but lacks the advanced stateful processing Flink provides.
Apache Kafka + Flink/Spark Streaming is the right choice for organizations needing multi-cloud portability, complex event processing, or the largest event volumes. Kafka's pub-sub model handles billions of events per day. Flink handles complex stateful processing that Stream Analytics can't. The trade-off: Kafka clusters require operational expertise — sizing, partition management, consumer group management, and the monitoring that prevents the failures that take down production event streams.
Fabric Real-Time Intelligence is Microsoft's newest entry — KQL (Kusto Query Language) databases for event analytics, integrated with the Fabric platform. Best for organizations already on Fabric who want real-time analytics without managing separate streaming infrastructure. Eventhouse for event storage, KQL for analysis, Real-Time Dashboard for visualization, and Activator for automated actions triggered by data conditions. The integration with Power BI and the broader Fabric platform is the differentiator.
Semantic Model Design for Real-Time: DirectQuery, Import, and Hybrid
The Power BI semantic model architecture determines whether real-time data reaches dashboards at the latency the use case requires.
Import mode (the default) loads data into the Power BI model on a schedule. Maximum freshness is limited by the refresh schedule — every 30 minutes with Pro, every 15 minutes with Premium. This is sufficient for near-real-time use cases but not for true streaming.
DirectQuery mode sends queries to the source system in real time — every dashboard interaction generates a live query. Data is always current. The limitation is query performance — complex reports with many visuals generate many concurrent queries against the source, and performance depends on the source system's query capacity. DirectQuery works for simple operational dashboards against performant sources (Azure Synapse, Fabric warehouse, Databricks SQL). It struggles with complex analytical queries or sources that can't handle the concurrency.
Hybrid (composite model) combines import and DirectQuery — historical data imported for fast analytical queries, real-time data served through DirectQuery for current operations. This is the right architecture for most real-time BI scenarios: the monthly trend analysis runs against imported data at full speed, while the current-day operational view queries the live source. Hybrid requires careful data model design to avoid the query performance problems of pure DirectQuery.
Six Real-Time Analytics Use Cases That Justify the Investment
Not every analytics use case justifies real-time architecture. These six do — because the decision latency demands data freshness that batch processing can't provide.
Fraud Detection and Transaction Monitoring
Financial transactions must be evaluated before authorization (latency: milliseconds to seconds). Real-time scoring against ML models that detect anomalous patterns — unusual amounts, unusual locations, unusual timing, unusual velocity. The cost of a missed fraud event far exceeds the infrastructure cost. This is the canonical real-time analytics use case.
IoT and Industrial Monitoring
Manufacturing equipment, utilities infrastructure, and fleet vehicles generate continuous telemetry. Real-time anomaly detection identifies equipment failures, quality deviations, and safety conditions before they become incidents. Predictive maintenance models score equipment health continuously. The cost of unplanned downtime (often $10,000-$100,000+ per hour) justifies the streaming investment.
Live Operations Command Centers
Logistics operations, airline operations, emergency services, and network operations centers need current operational state — not yesterday's state. Package location, flight status, incident response, network health. These operations make decisions in minutes; data latency must be shorter than decision latency.
Dynamic Pricing and Yield Management
Airlines, hotels, ride-share, and e-commerce adjust pricing based on real-time demand signals. Price changes that lag demand by hours lose revenue. Real-time demand sensing (search volume, booking pace, competitor pricing) feeds pricing algorithms that adjust rates continuously.
Customer Experience Monitoring
Digital experience monitoring (page load times, error rates, checkout completion) requires real-time visibility because user experience degrades happen fast and compound — a 5-minute outage during peak traffic affects thousands of sessions. Real-time dashboards with automated alerting detect degradation before customer complaints arrive.
Cybersecurity and Threat Detection
Security Information and Event Management (SIEM) correlates events across networks, endpoints, and applications in real time to detect threats. A brute-force attack generates events across seconds. A data exfiltration attempt generates events across minutes. Batch analytics that detects these hours later detects them too late.
Governance for Real-Time: Data Quality at Streaming Speed
Real-time analytics introduces governance challenges that batch processing doesn't face. In batch processing, data quality checks run after data loads — a quality gate prevents bad data from reaching consumers. In streaming, data arrives continuously. Quality checks must run at streaming speed without introducing latency that defeats the purpose of real-time.
Stream Quality Patterns
Schema validation at ingestion: Reject events that don't conform to the expected schema before processing. This catches malformed events from malfunctioning source systems — a surprisingly common source of real-time data quality issues.
Statistical anomaly detection on event streams: Monitor event rate, value distributions, and patterns in real time. A sudden 10x spike in event volume might indicate a legitimate surge — or a malfunctioning source generating duplicate events. Statistical monitoring distinguishes between the two and alerts when investigation is warranted.
Late-arriving data handling: Events don't always arrive in order. A network delay might cause an event from 10 minutes ago to arrive now. Stream processing must handle late-arriving data gracefully — watermarks (how long to wait for late data), side outputs (where to route late-arriving data), and reconciliation processes that correct any analytics affected by late data.
Real-time vs. reconciled views: The real-time view is operationally current but may contain unreconciled data. The reconciled view runs after quality checks complete — typically 1-4 hours behind real-time. Operational decisions use the real-time view. Financial analytics and regulatory reporting use the reconciled view. Both must exist; governance defines which decisions use which view.
Every real-time analytics system needs a reconciliation process. Real-time data is operationally current but may contain errors, duplicates, and late-arriving events. The reconciliation process runs in batch (hourly or daily), corrects the real-time layer, and produces the auditable view that finance, compliance, and regulatory reporting require. Organizations that skip reconciliation discover the discrepancy during month-end close — which is the wrong time to discover it.
Implementation Approach: Incremental, Not Big Bang
Real-time analytics implementation should be incremental — start with one use case that justifies the investment, prove the architecture, then expand. Big-bang approaches that attempt to stream everything from day one produce expensive, fragile infrastructure that nobody trusts because nobody had time to validate the data.
Phase 1: Single Use Case (Weeks 1-8)
Select the use case with the clearest decision-latency justification (from the six patterns above). Build the streaming pipeline for that specific data source. Deploy the serving layer and visualization. Validate with the operational team that uses it. Measure the decision impact. This phase proves the architecture and produces the operational learning that informs scaling.
Phase 2: Architecture Hardening (Weeks 9-14)
Based on Phase 1 learnings: harden monitoring and alerting, implement the reconciliation process, establish the operational runbook for streaming infrastructure failures, and optimize cost (streaming infrastructure costs compound if not managed). This phase makes the architecture production-grade rather than proof-of-concept grade.
Phase 3: Additional Use Cases (Weeks 15+)
Onboard additional data sources and use cases onto the proven architecture. Each additional use case follows the same pattern: validate the decision-latency justification, build the specific pipeline, validate with users, measure impact. The architecture scales horizontally; the operational discipline scales with each use case onboarded.
The Xylity Approach
We implement real-time analytics with decision-latency-first scoping. If your decision can wait 15 minutes, we build near-real-time at a fraction of streaming cost. If sub-second matters (fraud, IoT safety, live operations), we build true streaming with the governance and reconciliation that make real-time trustworthy. We work with your data engineers and Power BI developers to build the capability your team operates independently.
Go Deeper
Continue building your understanding with these related resources from our consulting practice.
Real-Time Analytics at the Right Latency
Not everything needs sub-second. We match data latency to decision latency — streaming where it matters, near-real-time where it's sufficient, batch where it's right.
Discuss Your Real-Time Analytics Needs →