Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I search for events within _indextime?

mcbradfordwcb
Engager
‎10-12-2018 06:27 AM

I understand the behavior of Splunk when using _indextime, but I want to know what query would do what I really am looking for.

In the sample query:

index="bro"  _indextime > 1539343843 _indextime <= 1539343963

And with the timepicker set to last 24 hours, Splunk will actually look for events indexed between the time specified and _time within the last 24 hours.

I do not want Splunk to search _time, I only want it to search for events within _indextime

Tags (1)
0 Karma
Reply

corey_reynders
Path Finder
‎12-06-2018 01:19 PM

I would run with the following :

index="bro" earliest=0 latest=now()  _indextime > 1539343843 _indextime <= 1539343963

Since the time picker cannot be configured to run against a different field you have to search all of time and then filter based on the _indextime you want to see, sadly it is not fast if your index is big.

_index_earliest and _index_latest do work but since you don't really see the index time it becomes difficult to validate your search results are accurate. This is what I normally do to see that :

<search> | eval _time=_indextime

This will cause your event timeline to show the events by _indextime so that you can validate the results easier.

My index has lots of overlapping equivalent timestamps and I need to pull the latest values by _indextime so I often end up doing this :

<search> | eval orig_time=_time,_time=_indextime | stats latest(stuff) | eval _time=orig_time | timechart <stuff>

I'm not sure exactly what your data looks like but that helps me get the latest indexed values regardless of the _time of the event (slow... but it works).

0 Karma
Reply

493669
Super Champion
‎10-12-2018 11:30 AM

@mcbradfordwcb
you can use time modifiers for index time like

index=<indexname> _index_earliest=-h@h _index_latest=@h

Similar to earliest and latest for _time, _index_earliest and _index_latest are available for _indextime.
refer this blog- https://www.splunk.com/blog/2013/09/26/an-introduction-to-the-theory-or-relative-time-modifiers-for-...

Reply

marycordova
SplunkTrust
SplunkTrust
‎12-06-2018 04:04 PM

here is a decent debate and some tips around _indextime

https://answers.splunk.com/answers/678655/how-to-trigger-alerts-when-indextime-time-1.html

@marycordova
0 Karma
Reply

mcbradfordwcb
Engager
‎10-12-2018 12:53 PM 
index="bro" _index_earliest > 1539343843 _index_latest <= 1539343963

Does not work. It looks like Splunk is treating these as actual terms to search.

0 Karma
Reply

493669
Super Champion
‎10-12-2018 10:54 PM

@mcbradfordwcb,
it is working please check for ex:-

index=_internal _index_earliest>1539343843 _index_latest<=1539343963
0 Karma
Reply

mcbradfordwcb
Engager
‎10-12-2018 10:15 AM

Even though _indextime is a hidden field it can be used. The search provided does not work. Regardless, if the eval did work, I think it would perform the same way and not do what I need it to do, which is to ONLY show me results for events that were INDEXED within the time I have specified.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-12-2018 08:51 AM

@mcbradfordwcb

_indextime is hidden field. So you can not use directly.

Can you please try this?

  index="bro" | eval T=_indextime |where T > 1539343843 AND T <= 1539343963
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...