<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Time difference (practical values) between event-time and index-time in large clustered environments in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312606#M58588</link>
    <description>&lt;P&gt;The normal average for file-based forwarding of events is roughly 100 seconds (syslog should be even smaller) for &lt;CODE&gt;_indextime&lt;/CODE&gt; - &lt;CODE&gt;_time&lt;/CODE&gt;.  Anything bigger than 300 seconds should be investigated, IMHO.&lt;/P&gt;</description>
    <pubDate>Wed, 05 Apr 2017 19:09:28 GMT</pubDate>
    <dc:creator>woodcock</dc:creator>
    <dc:date>2017-04-05T19:09:28Z</dc:date>
    <item>
      <title>Time difference (practical values) between event-time and index-time in large clustered environments</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312605#M58587</link>
      <description>&lt;P&gt;I know it is a weird question (like how long piece of string), but this is more of values from your experience/real-time practical value in your large clustred environment. We are estimating for how fast Splunk can respond in real-time, but on analysing difference between _time and _indextime , the values are much higher than I thought. It is coming up in 300seconds for 90th Percentile of data.&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;The data comes from syslog and from Universal Forwarders.&lt;/LI&gt;
&lt;LI&gt;No queueing/pipeline blocks&lt;/LI&gt;
&lt;LI&gt;No delay from source as such&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;Just wanted to verify how you guy's systems are looking? is 300 seconds too much or good enough for most of the data?&lt;/P&gt;</description>
      <pubDate>Wed, 05 Apr 2017 18:38:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312605#M58587</guid>
      <dc:creator>koshyk</dc:creator>
      <dc:date>2017-04-05T18:38:57Z</dc:date>
    </item>
    <item>
      <title>Re: Time difference (practical values) between event-time and index-time in large clustered environments</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312606#M58588</link>
      <description>&lt;P&gt;The normal average for file-based forwarding of events is roughly 100 seconds (syslog should be even smaller) for &lt;CODE&gt;_indextime&lt;/CODE&gt; - &lt;CODE&gt;_time&lt;/CODE&gt;.  Anything bigger than 300 seconds should be investigated, IMHO.&lt;/P&gt;</description>
      <pubDate>Wed, 05 Apr 2017 19:09:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312606#M58588</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2017-04-05T19:09:28Z</dc:date>
    </item>
    <item>
      <title>Re: Time difference (practical values) between event-time and index-time in large clustered environments</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312607#M58589</link>
      <description>&lt;P&gt;thank you mate. &lt;/P&gt;</description>
      <pubDate>Thu, 06 Apr 2017 13:13:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-difference-practical-values-between-event-time-and-index/m-p/312607#M58589</guid>
      <dc:creator>koshyk</dc:creator>
      <dc:date>2017-04-06T13:13:03Z</dc:date>
    </item>
  </channel>
</rss>

