Wanted to track lag between log generated in host server and time arrive in Splunk.
Any search can achieve that?
hello leonjxtan
the field you are looking for is _indextime
latency is _indextime -_time
here is a full answer from this portal: https://answers.splunk.com/answers/11870/how-can-i-view-the-indexing-latency-for-incoming-events-in-...
it explains it in detail and provides some examples as well
hope it helps