Yet another case of Logstash Delays

I’m working on a logging solution that is really nothing more than a forwarder. rsyslog on several servers are sending their logs to Logstash, which then send them out to HEC splunk endpoint.

In Logstash, we are using the TCP endpoint without persistent queues. We are not doing any filtering at all.

This is an AWS m5.xlarge instance (4 vCPU, 16 GiB Ram, iot type disk). There is next to no load on the box.

The problem it that some items arriving into the Splunk endpoint are being ingested up to 10 hours after they were being created. This only happens on certain “source types”.

My understanding of this use case logstash is that, logstash does not care about ‘source-types’ it takes logs in and sends them out. Is there any reason for any type of message as being delayed?



logstash.yml /var/lib/logstash
path.logs: /var/log/logstash
pipeline.ordered: false
#pipeline.workers: 12
pipeline.workers: 40
pipeline.batch.size: 1536
log.level: info
pipeline.ecs_compatibility: disabled
dead_letter_queue.enable: true


input {

  tcp {

    port => 1514



filter {


output {

  http {

    http_method => “post”

    url => “https://mysecret_hec_endpoint/services/collector/event/1.0”

    headers => [“Authorization”, “Splunk my-super-secret-hec-toke”]

    mapping => {

      event => “%{message}”

     # logstash_time => “%{@timestamp}”




This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.