Solved: What do we do if our UDP events are being delayed?

sdubey_splunk · ‎10-30-2018

We are experiencing a delayed indexing of UDP events.

Environment: UF -> Indexer.

Event1 was sent to indexer(confirmed via tcpdump that the messages are sent successfully to indexer).

Event2 was sent after 4 hours and only then was Event1 visible via search and Event2 searchable. Then, after that, Event3 is sent. So in short there is delay in indexing.

Already tried: props.conf

[devservers]
TRANSFORMS-index = hosts
SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^

2.Also tried updating props.conf (Event had date twice in the event)
BREAK_ONLY_BEFORE_DATE

How do we fix this issue?

sdubey_splunk · ‎10-30-2018

The issue has been resolved after implementing the DATETIME_CONFIG=none in props.conf and restarting splunk service.

View solution in original post

sdubey_splunk · ‎10-30-2018

The issue has been resolved after implementing the DATETIME_CONFIG=none in props.conf and restarting splunk service.

What do we do if our UDP events are being delayed?

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

Are you a member of the Splunk Community?

What do we do if our UDP events are being delayed?

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap