https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314607#M58894 <P>In our environment, we have syslog servers that send data to regional Heavy forwarders. The data in HFs eventually gets indexed and is searchable on Search Heads.</P> <P>The issue now is, we are able to see data(logs) on HFs. But we are not able to see them on Search Heads.</P> <P>Eg : The last log present on HF for a particular host is on 30th May. But the last log we can see on our Search Head for the same host will be of 27th or 28th May's. We will be able to see 30th logs, somewhere around June 1st or 2nd.</P> <P>It is obvious there is some latency between HF and Indexer. It is mostly because of the bandwidth issues (confirmed).</P> <P>But I would like to get a report from Splunk that gives us the time difference between the moment a log got into HF and the moment it got indexed. Is there any SPL for getting this report?</P> <P>Thanks in advance.</P> Tue, 30 May 2017 14:54:34 GMT bharadwaja30 2017-05-30T14:54:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314607#M58894 <P>In our environment, we have syslog servers that send data to regional Heavy forwarders. The data in HFs eventually gets indexed and is searchable on Search Heads.</P> <P>The issue now is, we are able to see data(logs) on HFs. But we are not able to see them on Search Heads.</P> <P>Eg : The last log present on HF for a particular host is on 30th May. But the last log we can see on our Search Head for the same host will be of 27th or 28th May's. We will be able to see 30th logs, somewhere around June 1st or 2nd.</P> <P>It is obvious there is some latency between HF and Indexer. It is mostly because of the bandwidth issues (confirmed).</P> <P>But I would like to get a report from Splunk that gives us the time difference between the moment a log got into HF and the moment it got indexed. Is there any SPL for getting this report?</P> <P>Thanks in advance.</P> Tue, 30 May 2017 14:54:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314607#M58894 bharadwaja30 2017-05-30T14:54:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314608#M58895 <P>Assuming that there is little-to-no latency in the arrival of the event at the HF (e.g. the timestamp in the event is very close to the time that it arrives at the HV), then you can chart <CODE>_indextime - _time</CODE>. So you can do something like this:</P> <PRE><CODE>... | eval latencySeconds = _indextime - _time | timechart max(latencySeconds) avg(latencySeconds) BY sourcetype </CODE></PRE> <P>You can change <CODE>sourcetype</CODE> to <CODE>splunk_server</CODE>, or <CODE>host</CODE> or whatever to research the dependant variable. You might also check out the <CODE>Meta Woot!</CODE> app that does some of this, too:</P> <P><A href="https://splunkbase.splunk.com/app/2949/">https://splunkbase.splunk.com/app/2949/</A></P> Tue, 30 May 2017 16:46:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314608#M58895 woodcock 2017-05-30T16:46:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314609#M58896 <P>Thank you woodcock for helping me out with the SPL <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 31 May 2017 08:06:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314609#M58896 bharadwaja30 2017-05-31T08:06:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314610#M58897 <P>Hi Woodcock,</P> <P>Here we are going with an assumption that there is little or no latency in the arrival of event at HF. Is there a way we can get that latency too?? </P> <P>So in a picture format it will be..</P> <P>Endpoint (event generated) Time T1, Heavy Forwarder (the same event reached HF) Time T2, Indexer (when that same event was indexed) Time T3.</P> <P>So what we need is <BR /> T2 – T1 = time taken to reach HF<BR /> T3 – T2 = time taken to get the event indexed <BR /> T3 – T1 = total time taken for the event to be usable.</P> <P>When we get the above information for each endpoint (only sample) we will be able to get to the bottom of the problem.</P> <P>Then we have to go and dig deeper to find out if where the problem is:<BR /> 1. HF is retransmitting or<BR /> 2. indexer queues are full or<BR /> 3. we are running out CPU or <BR /> 4. we are wasting time on reading and writing from the disks on the HF </P> <P>Thanks for your help in advance.</P> Fri, 02 Jun 2017 06:27:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314610#M58897 bharadwaja30 2017-06-02T06:27:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314611#M58898 <P>It would be best to ask a new question for this.</P> Fri, 02 Jun 2017 14:03:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314611#M58898 woodcock 2017-06-02T14:03:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314612#M58899 <P>There are some other (and some better) ways to search this out. In addition to the accepted answer above, try these searches:</P> <PRE><CODE>| tstats count where index=* by index sourcetype source _time _indextime | eval latencySeconds =_indextime - _time | stats avg(latencySeconds) AS latencySeconds BY index sourcetype source | where latencySeconds &lt; 0 </CODE></PRE> <P>Also:</P> <PRE><CODE>| tstats min(_time) AS early max(_time) AS late WHERE index=* BY host | eval diff = late - early | where early != late </CODE></PRE> <P>Of course, Martin Mueller always has a much faster way to gauge Indexing lag:<BR /> <A href="https://answers.splunk.com/answers/232475/how-to-search-when-an-event-was-indexed.html">https://answers.splunk.com/answers/232475/how-to-search-when-an-event-was-indexed.html</A></P> <P>At the very bottom - the key is to reduce cardinality of _time and only look for the worst case per bucket so to quickly get a general overview of your indexing delay, consider something tstatsy like this:</P> <PRE><CODE>| tstats max(_indextime) as max where index=foo by host _time span=1s | eval delta = max - _time | timechart max(delta) by host </CODE></PRE> <P>It introduces half a span of error if you want averages, but great to detect peaks.</P> Thu, 10 Jan 2019 01:21:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/314612#M58899 woodcock 2019-01-10T01:21:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/564979#M100553 <P>Hi Woodcook,</P><P>Can I ask why you never really answered the core question in stead of asking him to add a new question?</P><P>His question was super relevant.</P> Fri, 27 Aug 2021 07:25:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-a-report-on-latency-between-Heavy-Forwarder-and/m-p/564979#M100553 BDein 2021-08-27T07:25:48Z