Getting Data In

Network latency

peter_gianusso
Communicator

Regardless of one's approach with collecting data, Splunk is heavily dependent on the network.

How does one deal with infrequent network latency? It will disrupt one's alerts because the dispatch earliest time will not be back far enough to catch the events that should have been alerted on.

Is there a way to dynamically change the dispatch earliest time based on the network latency?

Any other approaches?

0 Karma

lukejadamec
Super Champion

In addition to network latency, you can also run into problems with index latency. I am not aware of a way to dynamically change the search time frame. However, one solution to both is to change the latest time from "now" to something like -2m@s, and adjust the earliest time accordingly. This example will compensate for 2 minutes of latency regardless of the cause.

0 Karma

peter_gianusso
Communicator

thanks that was my approach already but since latency is variable, hardcoding a time does not really work

dbylertbg
Path Finder

Agreed. It would be great to be able to have an option for time range of "automatic". If you then set the search to run every 10 minutes, it should set the time earliest time to -10m + max latency over the last period for the sourcetypes that will be used in the search. Splunk, can you make this a feature??

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...