How to Find the “LATENCY” between the Indexed Time and the Event Time in Splunk

How to Find  the “LATENCY” between the Indexed Time and the Event Time  in Splunk

In Splunk there are two internal fields _time and _indextime.

_time is the event time,the time which are present in the event that means when the event was generated.

_indextime is the indexed time that means when the event had been indexed in the indexer.

For some reasons (like server down,heavy traffic)  there may be some difference in the indexed time and the event time. So we will find the latency between the indexed time and the event time.

Below we have given a query to find the latency.

Query:

index=”*” OR index=_*
| eval indexed_time=strftime(_indextime,”%+”)
| eval latency=_time-_indextime
| table _time,indexed_time,latency,index,_raw

 

Result:

SC_Latency

latency2

Explanation:

In the above query we have taken all the indexes present in the server.Here “_time” and “_indextime” are the existing internal fields in the indexes. By the “strftime” function with “eval” command we have formatted the “_indextime” and stored into “indexed_time ” field. Again by the “eval” command we have find the difference between “_time” and “_indextime” in “latency” field. Here both the “_time” and “_indextime” are in UNIX time format that’s why we have directly performed the subtraction. At last by the table command we have taken “_time” , “indexed_time” , “latency” , “index” , “_raw” fields.

 

Hope this has helped you in achieving the below requirement without fail :

How to Find  the “LATENCY” between the Indexed Time and the Event Time  in Splunk

 

Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.