We are seeing a long lag for our forwarders to send in data to Splunk - up to 4 hours!!!
When we run this command we can see the output with a high max_lag in seconds.
We are monitoring a file directory with lots and lots of files (100,000+) we are wondering if this could be the issue and is there some way to know from the forwarder it cant keep up? Or is there another solution?
We are testing this prop now, but we are unsure if it will help, as we are unsure if it is the issue?