Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Index is slow or delayed

dbuchanan46
New Member
‎06-06-2013 08:13 AM

The issue I'm having is with an index and real time reporting that uses that index. We currently use Rabbit MQ to send JSON messages to a TCP port. The rate is only about 250 messages/second. In Splunk the messages seem to take a few minutes to completely show up. For example, when running a search of the sourcetype for last 15 minutes, the most recent minute (ex. 11:50 am) might show a total of 500 events. When I run the same search a couple of minutes later, that same minute (11:50 am) has grown to 7,000. It appears the index takes a few minutes to catch up. We are trying to run real time reports, so this is causing the reports to be inaccurate.

We have run real time reports for other indexes we create the same way, so we are a little stumped on why this one doesn’t act the same. Any help would be appreciated.

0 Karma
Reply

bmacias84
Champion
‎06-07-2013 10:46 AM

Real-time search don't work the same as Report Searches (standard searches). This is because Real-time searches search through events as they are being streamed to the index while report searches are reading back disk.

So if you have delays in sending or indexing the search will only show events that it received in that window. If more events show up a few seconds/minutes later the wont be show in the real time search. Since those events were delayed you run your search again for that same time period not in real-time the indexer has caught up or finished receiving those delayed events so your count is larger. You will see discrepancies if your Splunk Queues on the Indexers or forwarders are having blocking issues. Also you could have NTP issues on your servers causing timestamp issues.

Additional Reading:

Hope this help you or gets you started. Dont forget to vote and accept answers that help.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...