Hey everyone,
Is there a way to show the indexed time of an event (as opposed to the timestamp)? I am trying to see if my forwarders are capable of keeping up with the volume of data that I am sending - I seem to be missing a lot of events and I want to make sure I'm not losing them when my pruning process runs.
Look at the hidden _indextime
field. I've found it helpful to look at the delay of each event and chart the results like so:
your search ... | eval delay=_indextime-_time | bucket bins=30 delay | chart count by delay
Doesn't work for me 😞 I add this to a query and I do not see _indextime values,
Here is the answer
YOUR QUERY | eval lag_sec=_indextime-_time | table lag_sec
This data is stored in the _indextime field.
You can access it via:
... | eval indexed_time=strftime(_indextime, "%+")
Or:
... | eval lag = _indextime - _time