Hi there,
is there any query to find out the forwarders which are reporting for last 1 day or f there is a delay in the logs.
Thanks
You can use this search to measure latency in the events which is the difference between when the application wrote the log event timestamp and the time the event was indexed. You can scope the index , host, source etc... if you are interested in the latency from a particular source
index=main | eval delay=_indextime-_time | stats min(delay) avg(delay) max(delay) by host sourcetype source
Hey @kteng2024! Don't forget to "accept" answers when someone answers your question. It helps make the answers more useful to others and awards karma points to the people who are helping you out. 🙂