Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Indexer Latency

hartfoml
Motivator
‎04-01-2013 03:16 PM

I have one heavy weight forwarder that is collecting from over 600 Universal Forwarder. I have syslog-ng installed on HW Forwarder collecting syslog to folder and reading folder with Splunk.

I am seeing (in SOS) an index latency of more than 1000 seconds on some of the indexes.
Where to look next for the cause is a problem????
How can i see if it is the indexers or my HW forwarder that is the bottle-neck.

I think it is the indexers but were to look to see where the issue is on the 3 indexers???

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hartfoml
Motivator
‎04-02-2013 07:25 AM

I found this article that talked about how to see the index time

http://splunk-base.splunk.com/answers/64388/is-_indextime-deprecated

I used the suggestion from Martin to right this search

index=firewall | eval diff = _indextime - _time | where diff > 0 | rename _indextime AS indxtime | rename _indextime AS indxtime | convert timeformat="%m/%d/%y %H:%M:%S" ctime(indxtime) | table _time indxtime diff

this alowed me to see the diff between the _time and the _indextime

Now I can set an alert if this number gets to high and to look for pasterns

View solution in original post

Reply
Solved! Jump to solution
Solution

hartfoml
Motivator
‎04-02-2013 07:25 AM

I found this article that talked about how to see the index time

http://splunk-base.splunk.com/answers/64388/is-_indextime-deprecated

I used the suggestion from Martin to right this search

index=firewall | eval diff = _indextime - _time | where diff > 0 | rename _indextime AS indxtime | rename _indextime AS indxtime | convert timeformat="%m/%d/%y %H:%M:%S" ctime(indxtime) | table _time indxtime diff

this alowed me to see the diff between the _time and the _indextime

Now I can set an alert if this number gets to high and to look for pasterns

Reply
Solved! Jump to solution

steve
Path Finder
‎04-02-2013 07:23 AM

This worked for me. Not sure why the table didn't like to display the raw indextime.

source=/var/log/* | eval time=_time | eval itime=_indextime | eval latency=(itime - time) | table time,itime,latency,_raw

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-01-2013 03:52 PM

You could do something like this:

some search | eval diff = _indextime - _time | where diff > some value

and go from there to see patterns of offending sources, hosts, splunk_servers, whatever.

Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-02-2013 07:09 AM

Martin thanks for the help. I tried this search:
index=firewall | eval diff = _indextime - _time | where diff > 890 | table _indextime _time

I could not find the _indextime and the search would only find all results or no results as i increased the greater than number. I wanted to see the diff between the index time and the time so I added the table command but all that showed was the time not the indextime. Do you know how I can see the "index time"?

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top