Solved: Event received time vs parsed event time

alexander_lucas · ‎09-05-2011

Dears,

Are there separate fields for:

Event received time (when event was received by Splunk); and

Parsed (extracted) event time?

My understanding is that for any events that have a recognisable timestamp Splunk will try to extract it at index time and store in the _time internal field (as epoch time).

Then at search time Spunk dynamically creates date_* fields. What I would like to know if there is another field that contains event received time (regardless of the event content, extractions etc) ?

gkanapathy · ‎09-05-2011

There is a field _indextime on each event that indicates when an event was indexed.

View solution in original post

gkanapathy · ‎09-05-2011

There is a field _indextime on each event that indicates when an event was indexed.

alexander_lucas · ‎09-06-2011

thank you gk and araitz

araitz · ‎09-05-2011

To make it viewable, add to your search: | eval indextime=_indextime

Event received time vs parsed event time

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!