Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Figure out when a log entry was sent from a forwarder?

hajducko
Explorer
‎02-18-2014 02:41 PM

We're having an issue where a log entry isn't being indexed by the indexer until several hours after the log entry was written.

The log entry has a timestamp of 2/17 21:15 and goes all the way back to 2/17 20:33. However, our indexer shows ( via indexed_time ) that it didn't index the events until 2/18 2:16 AM.

I need to able to determine why that it is - is it forwarder lag? Did they misconfigure something? Or is it indexer lag?

As far as indexer lag, we have SoS installed, but according to it, the indexer wasn't experiencing any issues - none of the queues were filled but at this point, I have no data I can give the customer about why this would have happened.

Which brings me to the question - is there someway to determine when the forwarder saw/sent the event or when the indexer received ( not indexed ) the event?

If I could tell that, at least it would help me point at the forwarder or the indexer and narrow the investigation down, but I don't know of anyway to determine that information.

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-18-2014 03:21 PM

They are no timestamp to know when the events was read from the log file.
The only one you have is the _indextime if when the indexer parsed it. With it you can evaluate the delay between the event timestamp and the indextime

source=mysource host=myhost | delay=_indextime-_time | table _time delay date_zone _raw

So first of all :

0 Karma
Reply

hajducko
Explorer
‎02-21-2014 11:24 AM

The timezone and forwarder thruput don't appear to be the issue - the issue appears to be a file descriptor issue. The host in question is generating 124,000+ individual log files per hour.

0 Karma
Reply

hajducko
Explorer
‎02-18-2014 03:35 PM

Yeah, I already used the indexed time to determine that we're experiencing several hours of delay between the timestamp of the event and the time when the event was eventually indexed. I don't have access to the forwarding host, so I'm having the user get the TZ and thruput items, but was hoping for some other way of diagnosing this or pointing to which side of the issue was the problem.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...