Solved: On certain events the indexed time is 24h after th...

joe06031990 · ‎08-21-2023

Hi,

On certain events the indexed time is 24h after the event _time across all indexes on Splunk cloud, just wondered if anyone has seen this before it doesn’t look to matter on the source type that is used.

thanks,

bowesmana · ‎08-21-2023

If the _indextime is 24h after the event _time, are the events just coming in 24 later from the host that is sending the events?

Is there any consistency between any of the events that are late? host/index/source/sourcetype?

It is always an exact 24h difference to the event _time?

Are these events coming in from a universal forwarder, HEC, through a heavy forwarder?

View solution in original post

bowesmana · ‎08-21-2023

If the _indextime is 24h after the event _time, are the events just coming in 24 later from the host that is sending the events?

Is there any consistency between any of the events that are late? host/index/source/sourcetype?

It is always an exact 24h difference to the event _time?

Are these events coming in from a universal forwarder, HEC, through a heavy forwarder?

On certain events the indexed time is 24h after the event _time across all indexes on Splunk cloud

administration

configuration

Splunk Investigate

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!