Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Load Time vs Event Time
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
07-17-2013
11:06 AM
I know that I ca get the event time using "_time". Does Splunk keep track of the time the event was loaded into Splunk in a field? We have some duplicate data that was loaded for a day, but it was loaded on a different day than the original day. So, if I were able to do a search like below I could easily find the duplicate values and remove them.
index="epicdata" earliest="07/03/2013:00:00:00" latest="07/04/2013:00:00:00" load_time>="07/04/2013:00:00:00" | delete
Update:
Here is what I did ... worked great! Basically, I got all of the events for 7/3 that were indexed on 7/6 and up and deleted them.
index = "myindex" _time >= "1372834800" _time < "1372921200" _indextime >= "1373094000" | delete
1372834800 epoch for 7/3/2013
1372921200 epoch for 7/4/2013
1373094000 epoch for 7/6/2013
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
07-17-2013
11:14 AM
Yes, there is such a field. It's called _indextime and carries the time when an event was indexed, in epoch format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
07-17-2013
11:14 AM
Yes, there is such a field. It's called _indextime and carries the time when an event was indexed, in epoch format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mendesjo
Path Finder
06-21-2016
10:38 AM
I added _indextime to a multiple indexes shows nothing.. how do you get the epoch time to show up?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
07-17-2013
12:40 PM
Oh good. That makes it easier. Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
07-17-2013
11:44 AM
Awesome! It's local.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
07-17-2013
11:40 AM
Is the epoch time in UTC/GMT or local?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
07-17-2013
11:24 AM
Bless you. This will make it a cinch to remove the duplicate data.
Get Updates on the Splunk Community!
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
