Databases Reference
In-Depth Information
The latency in this case is exaggerated, because the script behind
impl_splunk_gen
is creating events in chunks. In most production Splunk instances, the latency is
usually just a few seconds. If there is any slowdown, perhaps because of network
issues, the latency may increase dramatically, and so it should be accounted for.
This query will produce a table showing the time for every event:
sourcetype=impl_splunk_gen
| eval latency = _indextime - _time
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S.%3N")
| table time indextime latency
The previous query produces the following table:
To deal with this latency, you should add enough delay in your query that populates
the summary index. The following are a few examples:
Confidence
Time slice
Earliest
Latest
cron
2 minutes
1 hour
-62m@m
-2m@m
2 * * * *
15 minutes
1 hour
-1h@h
-0h@h
15 * * * *
-10m@m
-5m@m
*/5 * * * *
5 minutes
5 minutes
-75m@m
-60m@m
*/15 * * * *
1 hour
15 minutes
1 hour
24 hours
-1d@d
-0d@d
0 1 * * * *
Search WWH ::
Custom Search