Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extreme Latency with Windows Events on one Windows Event Collector. How do I troubleshoot?

davidwaugh
Path Finder
‎08-20-2019 02:59 AM

Hello i have two windows event collectors. 3 domain controllers send their events to one event collector (WEC01), and three send their events to another event collector.(WEC02)

From 8.00 onwards (eg the start of the working day) the events from WEC02 are getting progressively delayed up to about 20,000 seconds behind, before eventually catching up by about 4AM in the morning.

Both systems have the same configurations on them, which are managed by a deployment server.

I have looked at:
https://answers.splunk.com/answers/224727/why-is-my-universal-forwarder-showing-extreme-lag.html?utm...

And various other posts and have the following set:

limits.conf

[thruput]
maxKBps = 0

Outputs.conf

alt text

There doesnt appear to be any blockage in terms of indexer queues as other events are indexed fine and there is no latency. CPU, Memory and Network is all fine on the virtual machine. I can see no obvious reason why there is a delay.

Both Windows Event collectors are virtual machines. They may be on different physical hosts. There is a difference in latency in packets between the two hosts.

Here is a screenshot from the resouce monitor, network activity.

Slow Windows Event Collector (High Latency)

alt text

Fast Windows Event Collector (low latency)

Preview file
1 KB
Preview file
1 KB
Reply

itrimble1
Path Finder
‎08-22-2019 06:21 AM

Any difference in the configuration of WEC02 from a collector or UF configuration?
Is the volume of Events the same for WEC02?

0 Karma
Reply

davidwaugh
Path Finder
‎08-22-2019 06:24 AM

Nope, if anything there are fewer events on WEC02 than there are on WEC01.

0 Karma
Reply

itrimble1
Path Finder
‎08-22-2019 06:28 AM

Have you checked your indexers for congestion ? Have you checked the parsingQueue or the indexQueue ?

Reply

davidwaugh
Path Finder
‎08-22-2019 06:43 AM

Yep no congestion on the indexers. For instance at the same time I am ingesting syslog events and the delay for these is only a few seconds.

As far as I'm ware if this was an indexer problem, then all indexes would should as being behind, and not just one index, and not from only one forwarder.

0 Karma
Reply

itrimble1
Path Finder
‎08-22-2019 09:25 AM

How are is your ForwardedEvents Stanza configured?

[WinEventLog://ForwardedEvents]
sourcetype = WinEventLog:ForwardedEvents
disabled = 0
#start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5

Have you tried to change start_from to newest, restart, then switch it back to oldest ?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...