In our environment we have syslog sources that forward data to HFs via load balancer. I would like to get the report for latency between the source and HF.
So in a picture format, it will be like..
Endpoint (event generated) Time T1, Heavy Forwarder (the same event reached HF) Time T2, Indexer (when that same event was indexed) Time T3.
So what we need is
T2 – T1 = time taken to reach HF
T3 – T2 = time taken to get the event indexed
T3 – T1 = total time taken for the event to be usable.
When we get the above information for each endpoint (only sample) we will be able to get to the bottom of the problem.
Then we have to go and dig deeper to find out if where the problem is:
1. HF is retransmitting or
2. indexer queues are full or
3. we are running out CPU or
4. we are wasting time on reading and writing from the disks on the HF
Thanks for your help in advance.
↧