Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the frequency with which logs are read in Splunk?

garimayadav
New Member
‎02-28-2015 03:29 AM

What is the frequency with which logs are read in Splunk? Does delay in seeing recent log details in Splunk related to poor indexing?
And if indexing is perfectly fine, then what should be the ideal time after which details of a new request must be visible in Splunk?

Tags (2)
0 Karma
Reply

satishsdange
Builder
‎03-01-2015 09:53 PM

Hi garimayadav -

Questions asked by you purely depends upon data volume/day, underlying hardware, deployment architecture, network latency. Following links will address your queries. Please have a look.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Capacity/Forwarder-to-indexerratios
http://docs.splunk.com/Documentation/Splunk/6.2.2/Capacity/Referencehardware
http://docs.splunk.com/Documentation/Splunk/6.2.2/Capacity/Performancechecklist
http://docs.splunk.com/Documentation/Splunk/6.2.2/Capacity/Summaryofperformancerecommendations

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-01-2015 08:17 AM

Hi garimayadav,

an universal forwarder will poll / check the files once a second.

cheers, MuS

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-28-2015 08:07 AM

From my understanding, there is no "frequency." If the file changes, it starts forwarding the new data. There are technically several ways to do this, I don't know which one Splunk uses, but I have used a few throughout my programming career.

How soon should you see indexed data in Splunk? That depends on the processing of the data at index time. If not much is being looked at, you can have data visible sub-second after it is placed in a file on a forwarder, if all the stars align properly. We index about 350GB/day and see most of our data within 10 seconds with most of that under 5 seconds. I have had "Last 5 seconds" searches that fill up even the last 1 second slot with almost as many events as the other 4 slots.

If your indexing is putting structure on the data, or the indexing has to search hard to find the timestamp, or your network is slow, or the indexing hardware is slow (especially the disks), these things can lead to slow indexing of the data.

0 Karma
Reply

garimayadav
New Member
‎02-28-2015 09:19 AM

Thanks Cary 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...