All Apps and Add-ons

Logs are delayed for Symantec logs, why?

MikeBertelsen
Communicator

The delay appears to be up to 15 minutes The delay is with the Symantec logs (sourcetype values: sep, sep:agt_system, sep:ids, and sep:behavior)

The delay is also inconsistent, meaning there are times where the logs are not delayed.
Has anyone seen this before?

Tags (1)
0 Karma

woodcock
Esteemed Legend

If the "delay" is only 15 minutes, then I would guess that at least one of the servers that is generating the timestamps inside of the events has significant clock drift. You can see which one with this search:

index=* | eval timestamp=coalesce(timestamp,"OK") | eval date_zone=coalesce(date_zone,"none") | eval prev_sourcetype=if(sourcetype=$_sourcetype$,"none",_sourcetype) | dedup date_zone splunk_server index host sourcetype timestamp prev_sourcetype | eval lagSecs=_time-_indextime

Find the host values that have bad lagSecs times.

0 Karma

MikeBertelsen
Communicator

For clarification, Symantec logs are delayed getting into Splunk.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...