We are experiencing a delayed indexing of UDP events.
Environment: UF -> Indexer.
Event1 was sent to indexer(confirmed via tcpdump that the messages are sent successfully to indexer).
Event2 was sent after 4 hours and only then was Event1 visible via search and Event2 searchable. Then, after that, Event3 is sent. So in short there is delay in indexing.
Already tried: props.conf
TRANSFORMS-index = hosts
SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^
2.Also tried updating props.conf (Event had date twice in the event)
How do we fix this issue?
The issue has been resolved after implementing the DATETIME_CONFIG=none in props.conf and restarting splunk service.
View solution in original post