https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82150#M832 <P>Thanks Jeotron</P> <P>I was looking for a summary to speed up the search. I need a report of the latency on one index for the last 24 hours so I am not interested in real time. I did see the search from SOS thanks</P> Tue, 02 Apr 2013 17:22:20 GMT hartfoml 2013-04-02T17:22:20Z https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82148#M830 <P>I am calculating the index latency like this</P> <P>index=firewall | eval diff = _indextime - _time </P> <P>This is taking some time to run a 24 hour report as firewall logs are prolific.</P> <P>Does anyone know if the latency for indexes is in a summary index anywhere?</P> Tue, 02 Apr 2013 16:39:12 GMT https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82148#M830 hartfoml 2013-04-02T16:39:12Z https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82149#M831 <P>Latencies are not stored anywhere. Your approach is correct, however you should be running this report in realtime using the all time (real time) dropdown option. This is to ensure that all incoming events are shown regardless of their extracted time stamp. Note that the latency measured here is affected by how old your events are when you expose them to Splunk. Alternatively, the SOS app includes a distributed indexing performance view that will show you realtime latency and is powered by this search</P> <PRE><CODE>index=* OR index=_internal </CODE></PRE> <P>| eval latency=round((_indextime - _time),2)<BR /> | eval seconds_elapsed=(time() - now())<BR /> | eval secs=if(seconds_elapsed&lt;0,"1",seconds_elapsed)<BR /> | eval esize=((len(_raw)/1024))<BR /> | eventstats max(secs) AS seconds<BR /> | eventstats count AS ecount, sum(esize) AS sum_esize $type$<BR /> | stats last(ecount) AS "event count"<BR /> last(eval(ecount/seconds)) AS eps<BR /> last(eval(sum_esize/seconds)) AS KBps<BR /> min(latency) AS "minimum latency (seconds)"<BR /> avg(latency) AS avglat<BR /> max(latency) AS "maximum latency (seconds)"<BR /> min(_time) AS oldestTime<BR /> max(_time) AS newestTime $type$<BR /> | eval avglat=round(avglat,2)<BR /> | eval eps=round(eps,2)<BR /> | eval KBps=round(KBps,2)<BR /> | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(newestTime)<BR /> | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(oldestTime)<BR /> | rename newestTime AS "Time stamp of newest event"<BR /> oldestTime AS "Time stamp of oldest event"<BR /> avglat AS "average latency (seconds)"<BR /> eps AS "events per second"<BR /> KBps AS "indexing rate (KBps)"</P> <P>Possible values for $type$: by index | by host | by source | by sourcetype | by splunk_server</P> <P>You can modify this search to suit your needs.</P> Mon, 28 Sep 2020 13:39:19 GMT https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82149#M831 RicoSuave 2020-09-28T13:39:19Z https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82150#M832 <P>Thanks Jeotron</P> <P>I was looking for a summary to speed up the search. I need a report of the latency on one index for the last 24 hours so I am not interested in real time. I did see the search from SOS thanks</P> Tue, 02 Apr 2013 17:22:20 GMT https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82150#M832 hartfoml 2013-04-02T17:22:20Z https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82151#M833 <P>By The Way, I left this one to run for quite a while and forgot about it. It chewed up 10G in /opt/splunk/var/run/splunk/dispatch and caused me a small headache. So don't leave it run too long:)</P> <P>Interesting data though! thanks!</P> Wed, 26 Mar 2014 15:10:51 GMT https://community.splunk.com/t5/Knowledge-Management/Index-Latency-Summary/m-p/82151#M833 glitchcowboy 2014-03-26T15:10:51Z