All Apps and Add-ons

Logs are delayed for Symantec logs, why?

MikeBertelsen
Communicator

The delay appears to be up to 15 minutes The delay is with the Symantec logs (sourcetype values: sep, sep:agt_system, sep:ids, and sep:behavior)

The delay is also inconsistent, meaning there are times where the logs are not delayed.
Has anyone seen this before?

Tags (1)
0 Karma

woodcock
Esteemed Legend

If the "delay" is only 15 minutes, then I would guess that at least one of the servers that is generating the timestamps inside of the events has significant clock drift. You can see which one with this search:

index=* | eval timestamp=coalesce(timestamp,"OK") | eval date_zone=coalesce(date_zone,"none") | eval prev_sourcetype=if(sourcetype=$_sourcetype$,"none",_sourcetype) | dedup date_zone splunk_server index host sourcetype timestamp prev_sourcetype | eval lagSecs=_time-_indextime

Find the host values that have bad lagSecs times.

0 Karma

MikeBertelsen
Communicator

For clarification, Symantec logs are delayed getting into Splunk.

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...