Re: Why _time is later than _indextime ??

stardust927 · ‎04-05-2018

This data occurs in real time, and I receive it with bundles.

Each source send about 1000~2000 data for average in a day.

I want to compare _indextime and _time(_time is same as the time at the event log's has)

I used query like this.

index=idx_A source="B.D2180323.F0015358*"
| eval indextime=_indextime
| stats values(source) by indextime _time
| eval time_gap=indextime - _time, indextime=strftime(indextime, "%y/%m/%d %H:%M:%S")

I guessed the indextime will be always later than _time, because all events will indexing after the events get over.

Most of results are came out as I gussed, but some events was wiered.

indextime              _time         Time_gap
2018-03-22 1:05 2018-03-22 23:19    -1334
2018-03-22 1:05 2018-03-22 23:25    -1340
2018-03-22 1:05 2018-03-22 23:34    -1349
2018-03-22 1:05 2018-03-22 23:56    -1371

Why some indextime is later than _time?

splunker12er · ‎04-05-2018

try to see the latency,

 * | eval time=_time | eval itime=_indextime | eval latency=(itime  - time) | stats count, avg(latency), min(latency), max(latency) by source

Negative latencies, if observed, usually indicate a system clock difference between the source server (log-source) and the Splunk-server(indexer).

This figure will of course be inaccurate when Splunk indexes historic logs.- just to let you know

Why _time is later than _indextime ??

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation