Can the Splunk OS TAs capture time?

danielbb · ‎04-27-2020

Apparently, the Splunk OS TAs don't capture time and if there are index time delays, _time would be skewed and actually be _indextime.

For example, the output of df.sh is -

Filesystem                                          Type              Size        Used       Avail      UsePct    MountedOn
/                                                   xxx               50G         18G         30G         37%    /
/yyyyy                                              xxx              600G        401G        186G         69%    /yyyyy
/zzzzz                                              xxx               50G         18G         30G         37%    /zzzzz

Is there anything we can do about it?

PavelP · ‎04-30-2020

Hello @danielbb,

I think TA_nix developers did it intentionally - the disk usage dosn't change rapidly and any change will not be apparent because of using the human readable format anyway - the usage is rounded to GB.

But it is easy to change by modifing df.sh (prepend with date command) and adjusting props.conf on the indexer side.

For a real time statistic it is better to use sysstat, particularly

sar -F 1 /dev/sda1

or

sar -F 1

Can the Splunk OS TAs capture time?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...