Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to best do deal with alerting and summary indexing on mobile laptops

jambajuice
Communicator
‎08-22-2011 10:01 AM

If I want to use Splunk to monitor event logs on laptops that will be on and offline with some frequency, how does Splunk deal with alerting and summary indexing on data that comes in much later than the original event? Will an event that contains a much older timestamp trigger a realtime alert when the indexer sees it for the first time?

What about periodic summary indexing? If I run a summary indexing search every hour and Splunk receives events from a laptop with timestamps that are 24 hours old, will those events show up in the search for events from the last hour?

Thx.

Craig

Tags (1)
0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎08-24-2011 11:24 AM

One thing that you could do if you want to run a real-time search that looks at all incoming events regardless of their time-stamp (and alerts on them) is to use the "real-time(all time)" time range. For a scheduled RT search, this means that both the lower and upper time range of your search would have to be set to "rt". Be careful to properly set up your alert conditions accordingly so as not create false positives!

I would recommend that you first give a try to this time range from the search app to see what incoming events look like. Just search for "*" with the "real-time(all time)" range selected from the field picker to see what's coming in.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎08-22-2011 02:00 PM

I suspect you'll be in for a rough time of it. Remember, both basic alerting (not realtime alerting) and summary indexing are based upon running scheduled searches over a time range. Existing best practice is to give forwarded data some "lag time" before running a summary index or alert search -- for example, on hourly summaries run at 5 minutes past the hour with a timerange of earliest=-65m@m latest=-5m@m. This gives you 5 minutes of lag time for events to arrive and make it into the index before the summary / alert search runs.

I think that what will happen that your summaries will miss data and any basic alerts you set up won't fire -- because the data won't appear in the index until much, much later than the scheduled search runs.

I don't know enough about real-time alerts to be able to comment on how they will handle this.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...