Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Handle lag between _indextime and _time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Handle lag between _indextime and _time
Hello,
I figured out some of my alerts didn't trigger because there is a lag between the time of the event and the time the event is indexed, especially with Office 365 logs (and I'm pretty sure the lag comes from Microsoft for a good reason, but that's not the point here)
For example, I have an alert running every 10 minutes and triggering when someone add a forward rule to another mailbox. This alert sometime doesn't trigger because the log is indexed AFTER the search period defined for it.
Concrete example :
indextime Date Operation Rights
2018-10-19 16:08:03 2018-10-19 16:02:20 Add-MailboxPermission FullAccess
2018-10-19 16:08:03 2018-10-19 16:02:19 Add-RecipientPermission SendAs
2018-10-19 16:03:05 2018-10-19 15:55:42 Add-MailboxPermission FullAccess
2018-10-19 16:02:05 2018-10-19 15:55:38 Add-MailboxPermission FullAccess
The first to event did trigger (search between 16h00 and 16h10, event indexed at 16h08) but the last two didn't (search between 15h50 and 16h00, event indexed at 16h02)
Have you got any idea on how to properly handle that other than delaying the search to take the lag in account? Any good idea or feedback would be appreciated.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To see where your data is the bottle neck use monitoring console.
Use earliest=... and_index_earliest=...
Run the alert every 10 minutes but look at the past 60 minutes and throttle the events
or
Run the alert every 10 minutes and use a sub search or lookup to discard events that already created an alert:
index=... NOT [index=immitable search_name=mySearch | fields uniqueID | format]
index=... NOT [inputlookup ...]
Choose lookup over sub searches since sub searches are not reliable and they have a small max run time and size limit
Best practices make you resilient to ingestion lag and skipped searches. For mission critical work you can be proactive and monitor ingestion and scheduler issues.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure to understand your last sentence "Best practices make you resilient...", could you develop or link a ressource of what you are talking about ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
