https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/677998#M10011 <P>You can do your calculations based on _indextime but still you have to select your data with _time. There is no other way with Splunk since _time is the primary "ordering field".</P><P>So you can do something like</P><PRE>index=whatever earliest=-8h<BR />| stats max(_indextime)</PRE><P>to find out when the latest indexed event was indexed. You just need to get the initial timerange with a sufficient margin.</P><P>If I remember correctly, _indextime can be used with tstats as well (just not as a field with which you can bin with a given span).</P> Mon, 19 Feb 2024 16:46:03 GMT PickleRick 2024-02-19T16:46:03Z https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/677996#M10010 <P>I want to identify where the <EM>rate</EM> that an index's _indextime changes by a specific amount, with a tolerence that increases the faster the rate.<BR /><BR /><STRONG>For example:</STRONG><BR /><BR /><STRONG>1. Index A</STRONG> - It indexes once every 6 hours and populates the past 6 hours of events. In this circumstance I would want to know if it hasn't indexed for 8 hours or more. The tolerance is therefore relatively small (around 30% extra).<BR /><BR /><STRONG>2. Index B</STRONG> - It indexes every second, in this circumstance I may forgive it not indexing for a few seconds, but I'd definitely want to know if it hasn't indexed in 10 minutes. The tolerence is therefore relatively large.&nbsp;<BR /><BR />I don't think _time is right to use, as that would retrospectively backfill the indexes and I'm thinking it'd give false results.&nbsp;<BR /><BR />I feel that either the _internal index or tstats has the answer, but I've not yet come close.<BR /><BR /></P> Mon, 19 Feb 2024 16:31:56 GMT https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/677996#M10010 mconnarty1 2024-02-19T16:31:56Z https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/677998#M10011 <P>You can do your calculations based on _indextime but still you have to select your data with _time. There is no other way with Splunk since _time is the primary "ordering field".</P><P>So you can do something like</P><PRE>index=whatever earliest=-8h<BR />| stats max(_indextime)</PRE><P>to find out when the latest indexed event was indexed. You just need to get the initial timerange with a sufficient margin.</P><P>If I remember correctly, _indextime can be used with tstats as well (just not as a field with which you can bin with a given span).</P> Mon, 19 Feb 2024 16:46:03 GMT https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/677998#M10011 PickleRick 2024-02-19T16:46:03Z https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/678002#M10012 <P>This is what I have so far - but it seems way too complex! It does a baseline inner search to work out the average rate on the -48h -&gt; -24h, and then joins that to the same search but -24h to now.<BR /><BR /></P><LI-CODE lang="markup">| tstats count WHERE earliest=-24h latest=now() index=* BY index sourcetype _indextime | top limit=5 _indextime by index sourcetype | streamstats range(_indextime) as range_indextime by sourcetype index | stats avg(range_indextime) as observed_avg_range_indextime by index sourcetype | join type=inner index sourcetype [| tstats count WHERE earliest=-48h latest=-24h index=* BY index sourcetype _indextime | top limit=5 _indextime by index sourcetype | streamstats range(_indextime) as range_indextime by sourcetype index | stats avg(range_indextime) as avg_range_indextime by index sourcetype]</LI-CODE><P>&nbsp;</P> Mon, 19 Feb 2024 17:08:49 GMT https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/678002#M10012 mconnarty1 2024-02-19T17:08:49Z https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/678072#M10013 <P>For anyone else - the below search eventually worked the way I wanted although perhaps there is a more efficient way to do the same thing!<BR /><BR /></P><LI-CODE lang="markup">| tstats max(_indextime) as indextime WHERE earliest=-7d latest=now() index=* BY sourcetype index _time span=1h ```Look back over a 7 day window, and get the typical number of hours between indextimes, as well as the number of hours seen``` | sort 0 + index sourcetype indextime | streamstats window=2 range(indextime) as range_indextime by sourcetype index | eval range_indextime=range_indextime/60/60 | stats max(indextime) as last_indextime dc(indextime) as hour_count_over_5_days avg(range_indextime) as range_based_spacing by sourcetype index | eval now=now() | eval average_hour_spacing=120/hour_count_over_5_days | eval hours_since_last_seen=if(isnotnull(hours_since_last_seen),hours_since_last_seen,abs((now-last_indextime)/60/60)) ```Compare the time since we last saw indexes, and determine if it is likely late or not.``` | eval is_late=case(((range_based_spacing&lt;=1 AND hours_since_last_seen&gt;=1.5 AND average_hour_spacing&lt;=1) OR (range_based_spacing&lt;=6 AND hours_since_last_seen&gt;=8 AND average_hour_spacing&lt;=6) OR (range_based_spacing&lt;=12 AND hours_since_last_seen&gt;=15 AND average_hour_spacing&lt;=12) OR (range_based_spacing&lt;=24 AND hours_since_last_seen&gt;=36) OR isnull(last_indextime)) AND hour_count_over_5_days&gt;1,"yes",(hours_since_last_seen&gt;24 AND hour_count_over_5_days&lt;=1),"maybe",1=1,"no") | eval last_indextime=strftime(last_indextime,"%Y-%m-%dT%H:%M") | fields - now</LI-CODE> Tue, 20 Feb 2024 13:04:18 GMT https://community.splunk.com/t5/Monitoring-Splunk/Looking-for-a-change-in-the-index-indextime-rate/m-p/678072#M10013 mconnarty1 2024-02-20T13:04:18Z