Splunk search for Indexing lag by host
Copy
| tstats count as events BY host,_time,_indextime span=1s | eval indexlag=_indextime-_time | stats avg(indexlag) as "Indexing Lag" by host
This search uses tstats to show the indexing lag experienced for each Splunk host. In Splunk, indexing lag is the amount of time it takes between an event being generated and it being ingested into a Splunk index.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment