All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the indexing time lagging on email indexed by TA-Mailclient?

hcannon
Path Finder
‎05-24-2018 01:22 PM

We have had TA-Mailclient installed and working to index email via IMAP from a gmail account.

However we are noticing a lag between the time an email is received in the mailbox that is being monitored and the time the email is indexed, upwards of 40 minutes currently. What is odd is that the lag time has slowly increased over time - it was initially only a minute or two and has increased over the last few months to 30-40 minutes for each indexed email/event.

The app is installed on a search head that forwards to an indexer that has no known issues with indexing/parsing/etc, no other data sources are experiencing lag.

The input is scheduled to run every 100 seconds.
There are no errors in the logs for this app.
Splunk version is 7.0.1 and the app version is 1.3.0
Anyone else experiencing this issue or have any suggestions for further troubleshooting?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

seunomosowon
Communicator
‎05-24-2018 04:53 PM

I have to try add some extra logic to continue reading using the message UID, instead of reading each message in the mailbox and comparing to the checkpoint. Might have time during the summer for that.

It’s currently reading all mails and skipping mails that have already been read, hence the increased lag time. It would be faster if it reads and deletes it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

seunomosowon
Communicator
‎05-24-2018 04:53 PM

I have to try add some extra logic to continue reading using the message UID, instead of reading each message in the mailbox and comparing to the checkpoint. Might have time during the summer for that.

It’s currently reading all mails and skipping mails that have already been read, hence the increased lag time. It would be faster if it reads and deletes it.

0 Karma
Reply
Solved! Jump to solution

Paul1896
Path Finder
‎12-06-2018 02:28 AM

One possibility to solve the problem of growing index time lag could be to use the KVstore function in future.

0 Karma
Reply
Solved! Jump to solution

seunomosowon
Communicator
‎12-06-2018 06:35 AM

Yeah, I'm considering having a "retainFolder" option, and moving the read mails to that folder. I got your feature request for reading from other folders. I'll come back to you on that during the holidays 🙂

0 Karma
Reply
Solved! Jump to solution

hcannon
Path Finder
‎05-25-2018 06:56 AM

Ah that makes sense and explains why the lag was slowly growing over time as this particular inbox grew in size. I updated the config to delete and this resolved the problem. thanks!

0 Karma
Reply
Solved! Jump to solution

seunomosowon
Communicator
‎05-24-2018 02:43 PM

Are you having the app delete the emails as it is being read?

0 Karma
Reply
Solved! Jump to solution

hcannon
Path Finder
‎05-24-2018 03:19 PM

Hi- nope right now we have the config set to read only.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...