Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

why events show up in 5 min. window but not in 30-sec for real-time search?

sou128
Explorer
‎04-16-2012 02:01 PM

hi,

pretty new to splunk. I'm setting up a realtime search that will refresh every 30 sec. Here's my query on the search form.

source="C:\tmp\log4j2.log" bam userlogin
and I selected 30-second window from the dropdown

I've a simple simulator class that writes a single msg to the log file every 3 seconds with a total of 20 msg's. The msg's don't show up as the timeline advances, but usually only the last msg shows up. But if I set the refresh window to a higher number like 5 min., all the msg's show up.

Can anyone explain why this is? thanks

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-28-2015 03:08 PM

I can think of 2 reasons:
1: Every input pipeline has a latency (delay in delivery/processing until it is available for search). It my take more than 30 seconds for the app to gather the event, dump the logs to a file, Splunk forwarder to process them, Splunk indexer to to process them.
2: If you are processing a "durationful" event and are using the "start time", you will see this kind of problem. You should always use "end time" when you have a "duratoinful" event. If you use "start time" than events will appear "too far back" for your window to ever see them.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...