https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389925#M69780 <P>Hello, i have checked and the most of the events (showed and not showed) are from the same indexer. The cluster have 3.</P> Fri, 28 Dec 2018 18:58:56 GMT rgonzalezsplk 2018-12-28T18:58:56Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389922#M69777 <P>Hello community,</P> <P>I would like to ask you something, and I'm hoping that you can help me with this.</P> <P>I'm sending data from one universal forwarder to 2 environments (1 Stand Alone and 1 Cluster).</P> <P>For some reason, when i have 100 events on Stand Alone with this time window (earliest=-3m@m latest=-m@m) on the cluster, I have only 80 and only some minutes after i get 100 events on cluster.</P> <P>Why can this be happening? The source types are the same and i wasn't able to find some error on internal.</P> <P>Thanks you for your time and i hope you can help me.</P> <P>Greetings.</P> Fri, 28 Dec 2018 17:24:27 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389922#M69777 rgonzalezsplk 2018-12-28T17:24:27Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389923#M69778 <P>Are the missing events on a single indexer in the cluster (check splunk_server in each event)?</P> Fri, 28 Dec 2018 17:59:01 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389923#M69778 richgalloway 2018-12-28T17:59:01Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389924#M69779 <P>So, here's the steps that I would go through to triage this one...</P> <P>1) Identify the latency on each side. </P> <PRE><CODE>(your search that gets the data in question) | eval latency = _index_time - _time | stats count as event_count avg(latency) as latency_avg stdev(latency) as latency_stdev by splunk_server </CODE></PRE> <P>Look at the patterns in the above. You can also replace the stats with a timechart, and look at it with min or max latency, to see whatever you see about the machines' performance...</P> <PRE><CODE>| timechart span=30s max(latency) by splunk_server </CODE></PRE> <P>Now, the above should make something obvious. Either it will be obvious that one or more of the machines are slow to index the data, thus a high level of latency, or it will be obvious that there is no such latency.</P> <P>If there is high latency, then investigate what is slowing down the machine(s) in question. maybe they are CPU bound, or IO bound, or virtual machines that are fighting for resources (either oversubscribed or overspecified, either one of which can cause performance problems.)</P> <P>If there is no high latency, then look for network issues. That could be slow replication, slow transmission, inability to reach a particular server, and so on. </P> <P>If none of this pans out, then get onto the Splunk Slack channel that is linked here -- <A href="https://answers.splunk.com/answers/443734/is-there-a-splunk-slack-channel.html">https://answers.splunk.com/answers/443734/is-there-a-splunk-slack-channel.html</A> -- (I'm not putting the direct link here because that link will be kept up to date) -- and then get into the #index_clustering subchannel, and ask the question there so you know what next to investigate. </P> <P>Please let us know how it turns out.</P> Fri, 28 Dec 2018 18:39:02 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389924#M69779 DalJeanis 2018-12-28T18:39:02Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389925#M69780 <P>Hello, i have checked and the most of the events (showed and not showed) are from the same indexer. The cluster have 3.</P> Fri, 28 Dec 2018 18:58:56 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389925#M69780 rgonzalezsplk 2018-12-28T18:58:56Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389926#M69781 <P>Hello DalJeanis and thanks for reply.</P> <P>I have executed those search and as i say, there is no latency but, in the case of event count distribution, the indexer 1 has the double of the second indexer.</P> <P>In the case that this is an network issue, is there a way to check it from splunk before ask to the administrator to check it ?<BR /> Thanks you.</P> Fri, 28 Dec 2018 19:13:40 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389926#M69781 rgonzalezsplk 2018-12-28T19:13:40Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389927#M69782 <P>1) is that proportion consistent over time? <BR /> 2) I assume you mean "no significant latency", because there is ALWAYS latency. If the latency is zero, then your data is getting the wrong timestamp.<BR /> 3) If you run the same search verbose with fixed earliest and latest times, then run it again later, you can compare the two results against each other and see which events were delayed. Might be some information there.<BR /> 4) It sounds like you have only two indexers in that cluster. what are your SF/RF? </P> Fri, 28 Dec 2018 21:18:31 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389927#M69782 DalJeanis 2018-12-28T21:18:31Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389928#M69783 <P>Make sure that you have <CODE>maxKBps=0</CODE> on the forwarder.</P> Sat, 09 Mar 2019 23:24:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-being-indexed-but-completely-searchable-only-some/m-p/389928#M69783 woodcock 2019-03-09T23:24:43Z