There are many simple solution our there and there are some Apps and sophisticated solutions which makes use of KVstore to keep track of delayed events and other stuff, but I found them too complicat...
See more...
There are many simple solution our there and there are some Apps and sophisticated solutions which makes use of KVstore to keep track of delayed events and other stuff, but I found them too complicated to use effectively across all the alerts. Here is the solution that I have been effectively using in many Splunk environments that I work on: If the events are not expected to be delayed much (example: UDP inputs, Windows inputs, File Monitoring) earliest=-5m@s latest=-1m@s earliest=-61m@m latest=-1m@m Usually any events could be delayed by few seconds for many different reasons, so I found safe to use latest time as 1 min before now. If the events are expected to be delayed by much more (example: python based inputs, custom Add-ons) earliest=-6h@h latest=+1h@h _index_earliest=-6m@s _index_latest=-1m@s Here I always prefer to use index-time as primary reference for few reasons: So alert triggers to nearby time when event appears in Splunk We don't miss any events We cover events even if it delayed few hours and more We also cover events if it contains future timestamp just in case We are also adding earliest and latest along with index-time search, because, Using all-time, makes search so much slower With earliest_time, you can add what you expect events to get delayed maximum amount of time With latest_time, you can add if you expect events to come with future time-stamp. Please let me know if I'm missing any scenarios. Or paste any other solution that you have for other users on the community.