Getting Data In
Highlighted

_time vs _indextime: Why is it necessary to sync the two timestamps, and which one is considered using the time range picker?

Contributor

Hi,

I have an understanding that _time --> is the event time (the time which is present in the event means the time when the event was generated) and "_indextime" --> is the index time (the time when the events have been indexed).
Now, if my event time and indexed time is not same for some reason (let's say, if my forwarder is down for an hour, then the event time and the index time will have a 1 hour diff), can I consider those events as a bad events whose index-time and event time is not same?

And also, why it is necessary to always sync event time and index-time? What is the benefit of syncing these two times, and when we click on the time using "Timepicker", which time does it consider?

Please help !!

0 Karma
Highlighted

Re: _time vs _indextime: Why is it necessary to sync the two timestamps, and which one is considered using the time range picker?

SplunkTrust
SplunkTrust

The time range picker works on the event time in the _time field.

It's not strictly necessary to sync up index time with event time, it's just an indication of indexing delay or old data. Whether that's bad or not depends on your circumstances. For example, if some source only delivers a batch of data for yesterday every night then seeing up to a day of difference between index time and event time is unavoidable. I wouldn't call those events bad, just delayed.

Highlighted

Re: _time vs _indextime: Why is it necessary to sync the two timestamps, and which one is considered using the time range picker?

Splunk Employee
Splunk Employee

The difference between _time and _indextime helps us understand when the events are seen, vs when the disk is written to disk on the actual indexers.
What having this enables us to do, is understand latency between ingest time (event timestamp) and when this is written to disk. There should be nominal differences in these unless this is expected (such as with batch read.)
Where we start seeing huge deltas between these, is usually indicative of performance issues at the parsing / indexing layer and we recommend scaling out the indexing layer.