https://community.splunk.com/t5/Security/Log-latency/m-p/697130#M18089 <P>Hi Team,</P> <P>We could see latency in logs<BR /><BR />Log ingestion via - syslog<BR /><BR /></P> <P>Network devices --&gt; Syslog server --&gt; splunk&nbsp;<BR /><BR />Using below query, we could see minimum 10 mins to maxminum 60 mins log latency<BR /><BR /></P> <LI-CODE lang="markup">index="ABC" sourcetype="syslog" source="/syslog*" | eval indextime=strftime(_indextime,"%c") | table _raw _time indextime</LI-CODE> <P><BR /><BR />What should be our next steps to check where the latency is and how to fix it?</P> Fri, 23 Aug 2024 11:00:13 GMT VijaySrrie 2024-08-23T11:00:13Z https://community.splunk.com/t5/Security/Log-latency/m-p/697130#M18089 <P>Hi Team,</P> <P>We could see latency in logs<BR /><BR />Log ingestion via - syslog<BR /><BR /></P> <P>Network devices --&gt; Syslog server --&gt; splunk&nbsp;<BR /><BR />Using below query, we could see minimum 10 mins to maxminum 60 mins log latency<BR /><BR /></P> <LI-CODE lang="markup">index="ABC" sourcetype="syslog" source="/syslog*" | eval indextime=strftime(_indextime,"%c") | table _raw _time indextime</LI-CODE> <P><BR /><BR />What should be our next steps to check where the latency is and how to fix it?</P> Fri, 23 Aug 2024 11:00:13 GMT https://community.splunk.com/t5/Security/Log-latency/m-p/697130#M18089 VijaySrrie 2024-08-23T11:00:13Z https://community.splunk.com/t5/Security/Log-latency/m-p/697249#M18091 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>&nbsp;assuming you are collecting the logs on syslog server then forwarding to Splunk with a UF?<BR />You can check if the UF is reaching its thruput limit which could cause indexing lag:</P><LI-CODE lang="markup">index=_internal sourcetype=splunkd component=ThruputProcessor "has reached maxKBps" </LI-CODE><P><BR /><BR /></P> Mon, 26 Aug 2024 05:35:26 GMT https://community.splunk.com/t5/Security/Log-latency/m-p/697249#M18091 KendallW 2024-08-26T05:35:26Z https://community.splunk.com/t5/Security/Log-latency/m-p/697562#M18093 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/121137">@KendallW</a>&nbsp;<BR /><SPAN class="">INFO</SPAN> <SPAN class="">ThruputProcessor</SPAN><SPAN> [</SPAN><SPAN class="">2963</SPAN> <SPAN class="">parsing</SPAN><SPAN>] </SPAN><SPAN class="">-</SPAN> <SPAN class="">Current</SPAN> <SPAN class="">data</SPAN> <SPAN class="">throughput</SPAN><SPAN> (</SPAN><SPAN class="">5125</SPAN> <SPAN class="">kb/s</SPAN><SPAN>) </SPAN><SPAN class=""><SPAN class="">has</SPAN> <SPAN class="">reached</SPAN> <SPAN class="">maxKBps</SPAN></SPAN><SPAN>. </SPAN><SPAN class="">As</SPAN> <SPAN class="">a</SPAN> <SPAN class="">result</SPAN><SPAN>, </SPAN><SPAN class="">data</SPAN> <SPAN class="">forwarding</SPAN> <SPAN class="">may</SPAN> <SPAN class="">be</SPAN> <SPAN class="">throttled.</SPAN> <SPAN class="">Consider</SPAN> <SPAN class="">increasing</SPAN> <SPAN class="">the</SPAN> <SPAN class="">value</SPAN> <SPAN class="">of</SPAN> <SPAN class="">maxKBps</SPAN> <SPAN class="">in</SPAN> <SPAN class="">limits.conf.</SPAN><BR /><BR />We will try increasing the limits.</P> Wed, 28 Aug 2024 08:53:24 GMT https://community.splunk.com/t5/Security/Log-latency/m-p/697562#M18093 VijaySrrie 2024-08-28T08:53:24Z