Splunk search for Sourcetypes with High Indexing Lag Time
Copy
| tstats count where index=* by _time, _indextime, sourcetype | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by sourcetype
This search will look at all indexed events and compare the time the event was indexed with the timestamp of the event. This search is useful for identifying sourcetypes that have a large delta between the index time and event time (aka indexing lag).
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment