Data delay in events

jahnavi · ‎03-11-2024

Using props.conf i'm able to extract the fields but on the Splunk dashboard, the data is not visible for the timing 05:26 pm and data is visible for 05:27 pm, if i check after 2-3 minutes the entry at 05:26 pm will be visible. On the dashboard the default time is last 15 minutes.

ITWhisperer · ‎03-11-2024

Events are retrieved based on the value of _time, so depending on how your event is parsed, it may appear in the index retrospectively.

For example, Apache httpd log entries are usually timestamped with the time the request came in e.g. 05:26, but it is written to the log when the request is completed, for example, 05:28. This means that it was not in the log at 05:27, but did appear "later"

jahnavi · ‎03-15-2024

Thank you for your response.

Please may I know what would be the solution.

ITWhisperer · ‎03-15-2024

Search for the events after they have arrived in Splunk

jahnavi · ‎03-15-2024

Yes events have arrived but if I check in the graph for last 15 minutes, then few events are missing in last 5 minutes,is there any solution for this?

ITWhisperer · ‎03-15-2024

The short answer is probably no.

However, it may depend on your data, your applications doing the logging, your infrastructure, your networking, etc. None of this information is available to me. If there are delays built into any of these, there may be ways to work around them.

Data delay in events

index

props.conf

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio