Solved: Re: Load Time vs Event Time

fredclown · ‎07-17-2013

I know that I ca get the event time using "_time". Does Splunk keep track of the time the event was loaded into Splunk in a field? We have some duplicate data that was loaded for a day, but it was loaded on a different day than the original day. So, if I were able to do a search like below I could easily find the duplicate values and remove them.

index="epicdata" earliest="07/03/2013:00:00:00" latest="07/04/2013:00:00:00" load_time>="07/04/2013:00:00:00" | delete

Update:

Here is what I did ... worked great! Basically, I got all of the events for 7/3 that were indexed on 7/6 and up and deleted them.

index = "myindex" _time >= "1372834800" _time < "1372921200" _indextime >= "1373094000" | delete

1372834800 epoch for 7/3/2013
1372921200 epoch for 7/4/2013
1373094000 epoch for 7/6/2013

Ayn · ‎07-17-2013

Yes, there is such a field. It's called _indextime and carries the time when an event was indexed, in epoch format.

View solution in original post

Ayn · ‎07-17-2013

Yes, there is such a field. It's called _indextime and carries the time when an event was indexed, in epoch format.

mendesjo · ‎06-21-2016

I added _indextime to a multiple indexes shows nothing.. how do you get the epoch time to show up?

fredclown · ‎07-17-2013

Oh good. That makes it easier. Thanks for your help.

Ayn · ‎07-17-2013

Awesome! It's local.

fredclown · ‎07-17-2013

Is the epoch time in UTC/GMT or local?

fredclown · ‎07-17-2013

Bless you. This will make it a cinch to remove the duplicate data.

Load Time vs Event Time

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?