topic Re: How do I search for events within _indextime? in Splunk Search

How do I search for events within _indextime?

mcbradfordwcb — Fri, 12 Oct 2018 13:27:58 GMT

I understand the behavior of Splunk when using _indextime, but I want to know what query would do what I really am looking for.

In the sample query:

index="bro"  _indextime > 1539343843 _indextime <= 1539343963

And with the timepicker set to last 24 hours, Splunk will actually look for events indexed between the time specified and _time within the last 24 hours.

I do not want Splunk to search _time, I only want it to search for events within _indextime

Re: How do I search for events within _indextime?

kamlesh_vaghela — Fri, 12 Oct 2018 15:51:50 GMT

@mcbradfordwcb

_indextime is hidden field. So you can not use directly.

Can you please try this?

  index="bro" | eval T=_indextime |where T > 1539343843 AND T <= 1539343963

Re: How do I search for events within _indextime?

mcbradfordwcb — Fri, 12 Oct 2018 17:15:21 GMT

Even though _indextime is a hidden field it can be used. The search provided does not work. Regardless, if the eval did work, I think it would perform the same way and not do what I need it to do, which is to ONLY show me results for events that were INDEXED within the time I have specified.

Re: How do I search for events within _indextime?

493669 — Tue, 29 Sep 2020 21:36:44 GMT

@mcbradfordwcb
you can use time modifiers for index time like

index=<indexname> _index_earliest=-h@h _index_latest=@h

Similar to earliest and latest for _time, _index_earliest and _index_latest are available for _indextime.
refer this blog- https://www.splunk.com/blog/2013/09/26/an-introduction-to-the-theory-or-relative-time-modifiers-for-indextime.html

Re: How do I search for events within _indextime?

mcbradfordwcb — Thu, 12 Oct 2023 15:57:40 GMT

index="bro" _index_earliest > 1539343843 _index_latest <= 1539343963

Does not work. It looks like Splunk is treating these as actual terms to search.

Re: How do I search for events within _indextime?

493669 — Sat, 13 Oct 2018 05:54:25 GMT

@mcbradfordwcb,
it is working please check for ex:-

index=_internal _index_earliest>1539343843 _index_latest<=1539343963

Re: How do I search for events within _indextime?

corey_reynders — Tue, 29 Sep 2020 22:18:53 GMT

I would run with the following :

index="bro" earliest=0 latest=now()  _indextime > 1539343843 _indextime <= 1539343963

Since the time picker cannot be configured to run against a different field you have to search all of time and then filter based on the _indextime you want to see, sadly it is not fast if your index is big.

_index_earliest and _index_latest do work but since you don't really see the index time it becomes difficult to validate your search results are accurate. This is what I normally do to see that :

<search> | eval _time=_indextime

This will cause your event timeline to show the events by _indextime so that you can validate the results easier.

My index has lots of overlapping equivalent timestamps and I need to pull the latest values by _indextime so I often end up doing this :

<search> | eval orig_time=_time,_time=_indextime | stats latest(stuff) | eval _time=orig_time | timechart <stuff>

I'm not sure exactly what your data looks like but that helps me get the latest indexed values regardless of the _time of the event (slow... but it works).

Re: How do I search for events within _indextime?

marycordova — Fri, 07 Dec 2018 00:04:25 GMT

here is a decent debate and some tips around _indextime

https://answers.splunk.com/answers/678655/how-to-trigger-alerts-when-indextime-time-1.html