Getting Data In

Looking for a way to show real time what splunk is indexing/ingesting regardless of log timestamp (feature request?)

Runals
Motivator

When you perform a realtime search (ex 5 minute window) it is using the log's timestamp. As I'm trying to troubleshoot an issue I'd like to know in a real time capacity what is actually coming in regardless of the timestamp on the logs. Haven't been able to figure that out.

Tags (1)
0 Karma

jspears
Communicator

From the timerange picker, select Real-time -> All time (real-time).

I believe the events list will still only show events that are current as of "now()" but you can click in the timeline to see future events in the list.

0 Karma

piebob
Splunk Employee
Splunk Employee

this is rather drastic, but you could change the input's timestamping properties (in props.conf) to use DATETIME_CONFIG = NONE , which means it will base the timestamp on the 'time of receipt' by Splunk.

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...