Splunk Search

Load Time vs Event Time

fredclown
Builder

I know that I ca get the event time using "_time". Does Splunk keep track of the time the event was loaded into Splunk in a field? We have some duplicate data that was loaded for a day, but it was loaded on a different day than the original day. So, if I were able to do a search like below I could easily find the duplicate values and remove them.

index="epicdata" earliest="07/03/2013:00:00:00" latest="07/04/2013:00:00:00" load_time>="07/04/2013:00:00:00" | delete

Update:

Here is what I did ... worked great! Basically, I got all of the events for 7/3 that were indexed on 7/6 and up and deleted them.

index = "myindex" _time >= "1372834800" _time < "1372921200" _indextime >= "1373094000" | delete

1372834800 epoch for 7/3/2013
1372921200 epoch for 7/4/2013
1373094000 epoch for 7/6/2013
Tags (3)
1 Solution

Ayn
Legend

Yes, there is such a field. It's called _indextime and carries the time when an event was indexed, in epoch format.

View solution in original post

Ayn
Legend

Yes, there is such a field. It's called _indextime and carries the time when an event was indexed, in epoch format.

mendesjo
Path Finder

I added _indextime to a multiple indexes shows nothing.. how do you get the epoch time to show up?

0 Karma

fredclown
Builder

Oh good. That makes it easier. Thanks for your help.

0 Karma

Ayn
Legend

Awesome! It's local.

0 Karma

fredclown
Builder

Is the epoch time in UTC/GMT or local?

0 Karma

fredclown
Builder

Bless you. This will make it a cinch to remove the duplicate data.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...