topic Re: Difference in _time and _indextime for logs in Splunk Search

Difference in _time and _indextime for logs

JuhiSaxena — Thu, 20 Dec 2018 12:08:35 GMT

Hi,
We are getting indexing lag in one of our splunk index. There is variation in _index-time and _time hence producing lag. On further observation we found that the _time is being picked from the log events and the data looks like below:-

_time, _indextime, LogEvent
2018-12-20 03:25:12, Thu Dec 20 03:25:48 PST 2018, Monitor Counter Information At Thu Dec 20 03:25:12 2018 Transformation Name

Re: Difference in _time and _indextime for logs

FrankVl — Thu, 20 Dec 2018 12:24:53 GMT

So you have a 36 second delay in this case? I've seen worse, but depending on how you're ingesting the data it is probably an indicator of some kind of issue that these two are not closer together.

Couple of questions:
- are both the source device and the splunk server(s) properly synced to an NTP server (ie. are their clocks in sync)?
- how exactly are you ingesting this data?
- do you see any queuing issues on any of the splunk components (forwarders, indexers) involved?

Re: Difference in _time and _indextime for logs

jconger — Fri, 21 Dec 2018 20:32:25 GMT

How is the data sent to Splunk? Is this via HEC, file monitor, script, an add-on, etc.?

_time is the timestamp of the actual event; whereas, _indextime is the timestamp when Splunk actually indexed the event. Depending on the input, these two timestamps may be very far apart. For example, if you use a file monitor input that has data from a year ago, _time will be a year ago, but _indextime will be "now". Similarly, scripts and several add-ons use an interval for data collection. A delay could be seen from when the event was generated from when the input script ran.

Here is how Splunk determines the _time timestamp -> https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps#How_Splunk_software_assigns_timestamps