Solved: include indexTime in output file

efelder0 · ‎05-30-2012

I am looking to include the indexTime in my output file and then append that that field to an existing 'CreateTimeStamp' field. What is the best method to extract indexTime (or recentTime)?

Ayn · ‎05-30-2012

Not sure what your "output file" is, but here goes:

The time an event was indexed is available in the field _indextime. You might have some problems with actually viewing it because it's by default a purely internal field that isn't shown to users. You can however make it visible by eval:ing it:

 ... | eval indextime=_indextime

After that you can just include the indextime field in whatever output you need.

View solution in original post

Ayn · ‎05-30-2012

Not sure what your "output file" is, but here goes:

The time an event was indexed is available in the field _indextime. You might have some problems with actually viewing it because it's by default a purely internal field that isn't shown to users. You can however make it visible by eval:ing it:

 ... | eval indextime=_indextime

After that you can just include the indextime field in whatever output you need.

mslvrstn · ‎08-29-2012

Ayn, I combined this with your other answer
http://splunk-base.splunk.com/answer_link/41401/
about getting readable times, to get
| eval indextime=strftime(_indextime,"%+")

Thanks for both excellent answers!

include indexTime in output file

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest