Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can the Splunk OS TAs capture time?

danielbb
Motivator
‎04-27-2020 11:15 AM

Apparently, the Splunk OS TAs don't capture time and if there are index time delays, _time would be skewed and actually be _indextime.

For example, the output of df.sh is -

Filesystem                                          Type              Size        Used       Avail      UsePct    MountedOn
/                                                   xxx               50G         18G         30G         37%    /
/yyyyy                                              xxx              600G        401G        186G         69%    /yyyyy
/zzzzz                                              xxx               50G         18G         30G         37%    /zzzzz

Is there anything we can do about it?

Tags (4)
0 Karma
Reply

PavelP
Motivator
‎04-30-2020 02:16 AM

Hello @danielbb,

I think TA_nix developers did it intentionally - the disk usage dosn't change rapidly and any change will not be apparent because of using the human readable format anyway - the usage is rounded to GB.

But it is easy to change by modifing df.sh (prepend with date command) and adjusting props.conf on the indexer side.

For a real time statistic it is better to use sysstat, particularly 

sar -F 1 /dev/sda1

or 

sar -F 1
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...