Latency is the difference between the time assigned to an event (usually parsed from the text) and the time it was written to the index. Both times are captured, in
This query will show us what our latency is:
sourcetype=impl_splunk_gen | eval latency = _indextime - _time | stats min(latency) avg(latency) max(latency)
In my case, these statistics look as shown in the following screenshot:
The latency in this case is exaggerated, because the script behind
impl_splunk_gen is creating events in chunks. In most production Splunk instances, the latency is usually just a few seconds. ...