Splunk Searches

Splunk Search for Sourcetypes with High Indexing Lag Time Copy


				| tstats count where index=* by _time, _indextime, sourcetype | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by sourcetype

0 comments

[0]

Splunk searches relating to