https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516771#M145266 <P>Usually the earlier timestamp is the event's creation time and the second one indexing time. Of course if your event ( source system) has wrong timezone then it could be otherwise.</P><P>Have you raw event and props.conf (/transforms.conf) where we could try to figure it out?</P><P>r. Ismo</P> Fri, 28 Aug 2020 16:35:29 GMT isoutamo 2020-08-28T16:35:29Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516748#M145252 <P>Hello,</P><P>I'm trying to determine if we are getting all the TrendMicro logs by comparing what's in Splunk and what's in Trend. There are 2 date/time stamps in the Splunk logs which I assume 1 is the actual event date/time and the other is the Splunk index date/time.&nbsp;</P><P>I've ran the following 2 searches which return the same date_time stamps but I would expect to be different since the 2 date/times are different.</P><P>Times:</P><P><SPAN class="t">Aug</SPAN> <SPAN class="t">28</SPAN> <SPAN class="t">11:18:43</SPAN>&nbsp;x.x.x.x&nbsp;<SPAN class="t">Aug</SPAN> <SPAN class="t">28</SPAN> <SPAN class="t"><SPAN class="t h">15:12</SPAN>:19</SPAN></P><P>index=trendmicro | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q %Z")</P><P><A title="2020-08-28T11:18:43.000 EDT" href="https://10.94.2.111:8000/en-US/app/search/search?q=search%20index%3Dcorp_prod_trendmicro%20%7C%20eval%20mytime%3Dstrftime(_time%2C%22%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%20%25Z%22)&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;workload_pool=&amp;earliest=-15m&amp;latest=now&amp;display.events.fields=%5B%22host%22%2C%22source%22%2C%22sourcetype%22%2C%22index%22%2C%22prefix%22%2C%22type%22%2C%22Type%22%2C%22mytime%22%5D&amp;sid=1598627924.30851#" target="_blank" rel="noopener">2020-08-28T11:18:43.000 EDT</A></P><P>index=trendmicro | eval mytime=strftime(_indextime,"%Y-%m-%dT%H:%M:%S.%Q %Z")</P><P><A title="2020-08-28T11:18:43.000 EDT" href="https://10.94.2.111:8000/en-US/app/search/search?q=search%20index%3Dcorp_prod_trendmicro%20%7C%20eval%20mytime%3Dstrftime(_time%2C%22%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%20%25Z%22)&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;workload_pool=&amp;earliest=-15m&amp;latest=now&amp;display.events.fields=%5B%22host%22%2C%22source%22%2C%22sourcetype%22%2C%22index%22%2C%22prefix%22%2C%22type%22%2C%22Type%22%2C%22mytime%22%5D&amp;sid=1598627924.30851#" target="_blank" rel="noopener">2020-08-28T11:18:43.000 EDT</A></P><P>How can I pull/report on both of these fields with both of the date_time stamps so we can determine we are getting all logs as well as if the indexer(s) are under resourced?</P> Fri, 28 Aug 2020 15:33:10 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516748#M145252 clunde 2020-08-28T15:33:10Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516753#M145256 <P>Hi</P><P>_time is (usually) when event is originally created on source system.</P><P>_indextime is when event is ingested to splunk and written to splunk index.</P><P>Usually those two should be quite similar (difference some seconds), but if there are some issues to collect and deliver events to splunk there could be long difference between those.</P><P>Another reason for that is wrongly configured TZ (time zone) information and/or your equipment don't use same time source to sync their time (ntp is suitable for that).</P><P>You could put those to report just like you already show in your guestion. Just use different names for those.</P><P>Best and easiest way to solve why there are difference between those is take MC (monitoring console) into use and look e.g. Settings -&gt; MC -&gt; Indexing -&gt; performance is there any bottle necks sawn.</P><P>There are lot of other questions about this issue and also excellent .conf presentations how to solve this which you could found by using google.&nbsp;</P><P>r. Ismo</P> Fri, 28 Aug 2020 15:41:56 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516753#M145256 isoutamo 2020-08-28T15:41:56Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516767#M145265 <P>Thank you for the information!</P><P>Do you know if the first time stamp is the _time or if it's the _indextime?</P><P>&nbsp;</P><P>Thank you!</P> Fri, 28 Aug 2020 16:29:24 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516767#M145265 clunde 2020-08-28T16:29:24Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516771#M145266 <P>Usually the earlier timestamp is the event's creation time and the second one indexing time. Of course if your event ( source system) has wrong timezone then it could be otherwise.</P><P>Have you raw event and props.conf (/transforms.conf) where we could try to figure it out?</P><P>r. Ismo</P> Fri, 28 Aug 2020 16:35:29 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-determine-if-by-date-time-stamps-if-we-are-getting/m-p/516771#M145266 isoutamo 2020-08-28T16:35:29Z