How to Find the “LATENCY” between the Indexed Time and the Event Time in Splunk
In Splunk there are two internal fields _time and _indextime.
_time is the event time,the time which are present in the event that means when the event was generated.
_indextime is the indexed time that means when the event had been indexed in the indexer.
For some reasons (like server down,heavy traffic) there may be some difference in the indexed time and the event time. So we will find the latency between the indexed time and the event time.
Below we have given a query to find the latency.
Query:
index=”*” OR index=_*
| eval indexed_time=strftime(_indextime,”%+”)
| eval latency=_time-_indextime
| table _time,indexed_time,latency,index,_raw
Result:
Explanation:
In the above query we have taken all the indexes present in the server.Here “_time” and “_indextime” are the existing internal fields in the indexes. By the “strftime” function with “eval” command we have formatted the “_indextime” and stored into “indexed_time ” field. Again by the “eval” command we have find the difference between “_time” and “_indextime” in “latency” field. Here both the “_time” and “_indextime” are in UNIX time format that’s why we have directly performed the subtraction. At last by the table command we have taken “_time” , “indexed_time” , “latency” , “index” , “_raw” fields.
Hope this has helped you in achieving the below requirement without fail :
How to Find the “LATENCY” between the Indexed Time and the Event Time in Splunk
Happy Splunking !!
query not working, error in eval command
Query is working fine. Error was because of “” while pasting the query. So try by editing “”.
Once remove the ” from the query and again use ” . Because wordpress changes double quote format. That’s why you are getting that eval command error.