Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I index data in real time?

chintan_shah
Path Finder
‎09-21-2017 11:11 AM

I have created an alert which checks if logs are not present in last 20 mins per source. I have around 32 source files from single forwarder. Many of my files are not getting indexed in real time and I am receiving this alert frequently.

Can anyone tell me any parameters which needs to be changed so that I can index the data in real time?
is there any mechanism to check what is the inflow rate of the data?

System Info:
I also see my CPU is around 80% idle and working Windows OS. I have 4 Core machine 32gb ram
Splunk Enterprise 6.4.3

0 Karma
Reply

DalJeanis
Legend
‎09-27-2017 12:31 PM

@chintan_shah - First, please determine whether the files are not being indexed in a timely manner, or not being forwarded in a timely manner.

Second, check through the debug steps at "I can't find my data"

0 Karma
Reply

harsmarvania57
Ultra Champion
‎09-27-2017 08:30 AM

Hi @chintan_shah,

Are you getting any error in Splunk Universal Forwarder's splunkd.log ?

Thanks,
Harshil

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...