Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plot time lag trend with scheduled search

sdwilkerson
Contributor
‎02-23-2012 12:49 PM

Hello,

We have the "Opsec Lea for Checkpoint Linux" app pulling logs from the Checkpoint Enterprise log collector. However, the data is very slowly catching up to present and current data is several hours behind.

To see/visualize the delay, I can do a search like this with Realtime|AllTime in the Timepicker. 

index=firewall | eval timeDiff=_time-_indextime | eval _time=now() | timechart limit=0 span=5m avg(timeDiff) by host

This time, shows me live events as they come in, and calculates the difference between the event time and Index time.

This is perfect for an ad-hoc search, but I would like to schedule something similar to run every few minutes, and dump the results to a lookup via outputlookup. The goal, is to monitor this data over a long period of time quickly, without re-running the above search over hours/days of data.

The problem is, you can't schedule this search as Realtime|AllTime since then the search will never complete. If you ran it for say, "Last XX Minutes" then it looks at _time and these events haven't happened yet since they are several hours behind. If we ran the search to look back several hours, to ensure we would see the events, then this skews my results as something like avg(timeDiff) would be over a larger block of time and isn't correct. Plus, if the amount of lag diminishes over time, querying the extra x-hours before the last event is unnecessary work.

Any thoughts?

Thanks In Advance,

Sean

Tags (2)
Reply

rshoward
Path Finder
‎05-23-2012 06:53 AM

I just posted this for a low overhead way of doing what I hope I understood you are trying to accomplish.

http://splunk-base.splunk.com/answers/48731/determining-logging-lag-and-device-feed-monitoring

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...