Hello everyone, I am concerned about single-event-match (e.g. observable-based) searches and the eventual indexingdelayevents may have. Would the usage of accelerated DM allow me to just ignore s...
We have a server running in Japan timezone. Recently when we did not find logs during a live testing.
Next day we ran the query to calculate delta between indextime and event time --- eval delta=_...
Is there a delay in the Splunk API server 'seeing' events that are already indexed? I use the Splunk API to query logs for some testcases. I can submit a job to the API server (`POST https://<S...
Using props.conf i'm able to extract the fields but on the Splunk dashboard, the data is not visible for the timing 05:26 pm and data is visible for 05:27 pm, if i check after 2-3 minutes the entry a...
Hello, Team! I see delays in the receipt of events in the indexes. Events are collected by SplunkForwarder agents. In the case of a complete absence of events, restarting agents helps, but if t...
...reation, or when I restart Splunk instance, the index size decreases to nearly half of the max index size.
Is there any idea of why there is so significant delay for Splunk purging old events? a...
...hat any previous events that were sent between 8:00 and 9:00 are not sent again.
Is it best to use the index time rather than extract the time from the event during indexing?
Is there a way to a...
We are experiencing a delayed indexing of UDP events.
Environment: UF -> Indexer.
Event1 was sent to indexer(confirmed via tcpdump that the messages are sent successfully to indexer).
Event...
Hello, Team!
I see delays in the receipt of events in the indexes. Events are collected by SplunkForwarder agents. In the case of a complete absence of events, restarting agents helps, but if t...