Security

Log latency

VijaySrrie
Builder

Hi Team,

We could see latency in logs

Log ingestion via - syslog

Network devices --> Syslog server --> splunk 

Using below query, we could see minimum 10 mins to maxminum 60 mins log latency

index="ABC" sourcetype="syslog" source="/syslog*" 
| eval indextime=strftime(_indextime,"%c")
| table _raw _time indextime



What should be our next steps to check where the latency is and how to fix it?

0 Karma
1 Solution

VijaySrrie
Builder

@KendallW 
INFO ThruputProcessor [2963 parsing] - Current data throughput (5125 kb/s) has reached maxKBps. As a result, data forwarding may be throttled. Consider increasing the value of maxKBps in limits.conf.

We will try increasing the limits.

View solution in original post

0 Karma

VijaySrrie
Builder

@KendallW 
INFO ThruputProcessor [2963 parsing] - Current data throughput (5125 kb/s) has reached maxKBps. As a result, data forwarding may be throttled. Consider increasing the value of maxKBps in limits.conf.

We will try increasing the limits.

0 Karma

KendallW
Contributor

Hi @VijaySrrie assuming you are collecting the logs on syslog server then forwarding to Splunk with a UF?
You can check if the UF is reaching its thruput limit which could cause indexing lag:

index=_internal sourcetype=splunkd component=ThruputProcessor "has reached maxKBps" 



Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...