https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430314#M7702 <P>2.5 hours late (or early) might indicate India time or Iran time, only countries with 1/2 hour interval.<BR /> verify the cloak on your server as well as the time set for the user who looks at the data<BR /> you can also check the <CODE>_indextime</CODE> field and see if the event really "arrived" late, or your event time stamping / users set are off</P> <P>hope it helps</P> Tue, 29 Jan 2019 00:09:56 GMT adonio 2019-01-29T00:09:56Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430313#M7701 <P>Hi all,</P> <P>I am using splunk enterprise 7.1.4. I noticed some of the domain controllers logs(wineventlog) are indexed very late. The data is indexed 2.5 hrs late than the timestamp of the event. This is seen only on two domain controllers. </P> <P>I need help or advise on this issue.</P> <P>Thanks, </P> Mon, 28 Jan 2019 15:43:44 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430313#M7701 graju89 2019-01-28T15:43:44Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430314#M7702 <P>2.5 hours late (or early) might indicate India time or Iran time, only countries with 1/2 hour interval.<BR /> verify the cloak on your server as well as the time set for the user who looks at the data<BR /> you can also check the <CODE>_indextime</CODE> field and see if the event really "arrived" late, or your event time stamping / users set are off</P> <P>hope it helps</P> Tue, 29 Jan 2019 00:09:56 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430314#M7702 adonio 2019-01-29T00:09:56Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430315#M7703 <P>Hi adonio,</P> <P>I dont think it is timezone problem. The logs are indexed late not early. Most of the times it is late by 2.5hrs. Sometimes it indexes within 5 min. So I am guessing it is not time zone problem. Let me know if you have any other thoughts.</P> <P>Thanks,</P> Fri, 01 Feb 2019 15:39:32 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430315#M7703 graju89 2019-02-01T15:39:32Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430316#M7704 <P>ill recommend to identify the latency patterns first:<BR /> <CODE>... your search for windows ...| eval time=_time | eval itime=_indextime | eval latency=(itime - time) | stats count, avg(latency), min(latency), max(latency) by source</CODE></P> Fri, 01 Feb 2019 15:50:52 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430316#M7704 adonio 2019-02-01T15:50:52Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430317#M7705 <P>I tried that already. Latency is around 10000 sec(avg).</P> Fri, 01 Feb 2019 15:54:04 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430317#M7705 graju89 2019-02-01T15:54:04Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430318#M7706 <P>do you see latency from other sources?<BR /> did you measure network latency?<BR /> can you force a single event through the forwarder with <CODE>add oneshot</CODE> and measure results?</P> Fri, 01 Feb 2019 16:17:45 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430318#M7706 adonio 2019-02-01T16:17:45Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430319#M7707 <P>I assume the delays are seen from only Windows security events and not application or system events from those 2 domain controllers.</P> <P>What's special/different on them compared to your other servers? Do you have a lot of security events on them? Is that in a network segment, where there can be delays? [ I assume the splunk conf/apps in all your AD servers are same]</P> Fri, 01 Feb 2019 16:51:41 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430319#M7707 lakshman239 2019-02-01T16:51:41Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430320#M7708 <P>@lakshman239 Yes, You are correct. But it delays for application logs as well. I am sure the events are higher than other servers. From splunk side I dont have any special changes for these servers.</P> Fri, 01 Feb 2019 17:05:53 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430320#M7708 graju89 2019-02-01T17:05:53Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430321#M7709 <P>Does the delay go away after you re-boot the AD server? say for next few days?</P> Fri, 01 Feb 2019 17:14:16 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430321#M7709 lakshman239 2019-02-01T17:14:16Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430322#M7710 <P>I have not tried and can not do reboot. Those two AD servers are the main ones.</P> Fri, 01 Feb 2019 17:16:53 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430322#M7710 graju89 2019-02-01T17:16:53Z https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430323#M7711 <P>Pls raise a case with splunk support</P> Mon, 04 Feb 2019 15:08:25 GMT https://community.splunk.com/t5/Splunk-Dev/WineventLog-are-indexed-late/m-p/430323#M7711 lakshman239 2019-02-04T15:08:25Z