Thank you! Could you please explain the difference between the _time and _indextime. I'm still a little confuse.
I want to find an easy way to know when the data got ingested to Splunk and when did it shows up on the system for searching. Again thank you!

Thank you! is there another way to monitor when the data got ingested to Splunk (with time) and when it's available for the user ?

I'm trying to find a way when data recieved and is avilable for me for ingestion, and i have to ingest those data within 5 minutes. I'm sorry if my question is unlcear. I found the site below but not sure if it's the right way or not.

https://docs.splunk.com/Documentation/Splunk/7.1.3/Troubleshooting/Troubleshootingeventsindexingdela...

_time is the DateTimeStamp configuration for your log files which is configured in props.conf at indexer or heaxy forwarder. Usually it is taken from the date timestamp in the logs or file you are ingesting.
_indextime is the actual time when data is ingested into Splunk.

It can be that the datetimestamp in your logs are different from actual time the logs got ingested into splunk due to latency or the way datetimestamp is configured.

As soon as the data is ingested into Splunk it will be available to the users.

Thank you! So if i have somthing like this :
source = " " sourcetype = " " index = " " | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by host

Is there a way to show a chart or a table where it shows me the differnce in time. when i tried the above it doesn't show me the differnce in time. it gives weird values such as 991618 and i don't understand what that value mean. Thank you!

https://docs.splunk.com/Documentation/Splunk/7.1.3/Troubleshooting/Troubleshootingeventsindexingdela...

The time is in seconds. You can sue stats instead of timechart

|stats min(delay_sec) avg(delay_sec) max(delay_sec) by host

Thank you!