I have created an alert which checks if logs are not present in last 20 mins per source. I have around 32 source files from single forwarder. Many of my files are not getting indexed in real time and I am receiving this alert frequently.
Can anyone tell me any parameters which needs to be changed so that I can index the data in real time?
is there any mechanism to check what is the inflow rate of the data?
System Info:
I also see my CPU is around 80% idle and working Windows OS. I have 4 Core machine 32gb ram
Splunk Enterprise 6.4.3
↧