topic Re: How can I index data in real time? in Getting Data In

How can I index data in real time?

chintan_shah — Thu, 21 Sep 2017 18:11:07 GMT

I have created an alert which checks if logs are not present in last 20 mins per source. I have around 32 source files from single forwarder. Many of my files are not getting indexed in real time and I am receiving this alert frequently.

Can anyone tell me any parameters which needs to be changed so that I can index the data in real time?
is there any mechanism to check what is the inflow rate of the data?

System Info:
I also see my CPU is around 80% idle and working Windows OS. I have 4 Core machine 32gb ram
Splunk Enterprise 6.4.3

Re: How can I index data in real time?

harsmarvania57 — Wed, 27 Sep 2017 15:30:57 GMT

Hi @chintan_shah,

Are you getting any error in Splunk Universal Forwarder's splunkd.log ?

Thanks,
Harshil

Re: How can I index data in real time?

DalJeanis — Wed, 27 Sep 2017 19:31:14 GMT

@chintan_shah - First, please determine whether the files are not being indexed in a timely manner, or not being forwarded in a timely manner.

Second, check through the debug steps at "I can't find my data"