Hi, I think checking into the field `_indextime` and how it compares to `_time`. One former is the time that the event was ingested, the other is the time Splunk found and "put into the event". index=*
| eval indextime = _indextime
| eval index_lag = abs(_indextime - _time)
| stats count as "Number of events", max(index_lag) as "Max", avg(index_lag) as "Avg", perc95(index_lag) as "95th Percentile", min(index_lag) as "Min" by host Change the first line to match the index you are searching (wineventlog? Windows?) and maybe add a sourcetype or whatever else. you need. The second line - _indextime is hard to use "raw" because it's a special field. So we just eval a new copy of it into a new field to use later. The third line is the meat of calculating the difference between the two values. We call it "index_lag" The last line does your stats. It gives you, by host, the number of events over whatever time period you have in the time picker, the largest index_lag for that host, the average index_lag, the 95th percentile of the lag for that host, and the minimum lag for it too. That should a) Give you a smoking gun b) Also give you a lot more ammunition and knowledge about other things to search for in answers here if you need to do more. Happy Splunking! -Rich
... View more