Event delay for host if((round(relative_time(now(), $time.latest$)-relative_time(now(), $time.earliest$))/$time_resolution$)<1,1,round((relative_time(now(), $time.latest$)-relative_time(now(), $time.earliest$))/$time_resolution$)) | makeresults if((round(relative_time(now(), $time.latest$)-relative_time(now(), $time.earliest$))/$time_resolution$)<1,1,round((relative_time(now(), $time.latest$)-relative_time(now(), $time.earliest$))/$time_resolution$)) | tstats count where index=_internal host=$selected_host$ | where count!=0 $time.earliest$ $time.latest$ $result.count$ | tstats count where index=_introspection component::Hostwide host=$selected_host$ | where count!=0 $time.earliest$ $time.latest$ $result.count$ | tstats count where index=_introspection component::hec* host=$selected_host$ | where count!=0 $time.earliest$ $time.latest$ $result.count$ | tstats max(_indextime) AS indexed_time count where host=$selected_host$ (index=* OR index=_*) latest=now earliest=$time.earliest$ _index_latest=$time.latest$ _index_earliest=$time.earliest$ by index host sourcetype splunk_server _time span=$seconds_for_bin$ | eval _time=round(_time), bin_delay=indexed_time-_time | bin span=2log5 bin_delay $time.earliest$ $time.latest$

Select time range -24h@h now if((round(relative_time(now(), $time.latest$)-relative_time(now(), $time.earliest$))/$time_resolution$)<1,1,round((relative_time(now(), $time.latest$)-relative_time(now(), $time.earliest$))/$time_resolution$)) Selected Host Filter indexes All ( ) index=" " OR | stats count by index | eval label=index." (".count.")" * index index Chart resolution Crude Low Medium High Ultra 500

Please enter value for host

Event metadata for $selected_host$

$show_introspection_link$

Hyperlink to _introspection metrics

depends="$show_internal_link$"

Hyperlink to _internal logs

depends="$show_introspection_hec_link$"

Show HEC metrics

Count of events generated at transmission time (_time) How many events where generated by $selected_host$ time x by index? | search $index_filter$ | timechart limit=0 span=$seconds_for_bin$sec sum(count) by index $start$ $end$ Count of events generated by received time (_indextime) by indexer? How many events where received from $selected_host$ time x by index? | search $index_filter$ | eval _time=indexed_time | timechart limit=0 span=$seconds_for_bin$sec sum(count) by index $start$ $end$ Delay of events by generation time (_time) When $selected_host$ generated events, how long did it take before they were indexed? | search $index_filter$ | eval bin_delay=if(bin_delay<0, "future", bin_delay) | timechart limit=0 span=$seconds_for_bin$sec sum(count) by bin_delay $start$ $end$ Delay of events by received time (_indexedtime) | search $index_filter$ | eval _time=indexed_time | eval bin_delay=if(bin_delay<0, "future", bin_delay) | timechart limit=0 span=$seconds_for_bin$sec sum(count) by bin_delay $start$ $end$ Count of events generated at transmission time (_time) How many events where generated by $selected_host$ time x by index? | search $index_filter$ | timechart limit=0 span=$seconds_for_bin$sec sum(count) by sourcetype Count of events generated by received time (_indextime) by indexer? Count of events generated by received time (_indextime) by indexer? | search $index_filter$ | eval _time=indexed_time | eval bin_delay=if(bin_delay<0, "future", bin_delay) | timechart limit=0 span=$seconds_for_bin$sec sum(count) by sourcetype Which indexer received the event from $selected_host$ | search $index_filter$ | eval _time=indexed_time | timechart limit=0 span=$seconds_for_bin$sec sum(count) by splunk_server $start$ $end$ some notes