Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexing Latency Chart

rotten
Communicator
‎09-24-2010 04:52 PM

It would be both useful and interesting to be able to graph the indexing latency for various data sources or hosts over time.

Is there a way to compare "insert time" (for the splunk database) with "event time" (from the source logfile) and build such a set of charts?

Tags (1)
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-24-2010 06:44 PM

Yes, the "insert time" is the _indextime field and the "event time" is the _time field.

You can search:

... | eval lag = _indextime - _time | timechart median(lag) by ...
Reply

droth333
Explorer
‎12-01-2011 01:20 PM

This is fascinating stuff, but there's a datum missing that would
help me know everything for an indexing latency problem I have:
_time is timestamp on the event
_indextime is time it was indexed at the indexer.
need _arrivaltime, the time it arrive at the indexer.
Is there such a value?

In general where can I find these hidden groovy _* variables listed?
Thanks,
Dave

0 Karma
Reply

Lowell
Super Champion
‎09-27-2010 04:27 PM

Version note: Keep in mind that the _indextime field was added in version 4.0. With earlier versions you cannot track indexing latency like this.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...