Splunk search for Indexes With High Indexing Lag Time

Copy
| tstats count where index=* by _time, _indextime, index | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by index
This search will look at all indexed events and compare the time the event was indexed with the timestamp of the event. This search is useful for identifying indexes that have a large delta between the index time and event time (aka indexing lag).
1 comment

Category:

General Splunk


Tags:

tstats indexing lag indexing Admin troubleshooting

Search Commands:

Sign in or Register to submit a comment

Comments

AhYounis | June 2023

I think it does not calculate the expected value as it calculates the difference between the latest and earliest event within the time Interval not so if I choose the interval to be one hour the difference will be on hour