A lot of Splunk articles say that recentTime and localTime will be the same, but that's not true if your devices don't all store data in UTC time.
In our experience, recentTime is relative to the local time of whoever is conducting the search, while lastTime is the latest timestamp reported by the device and stored inside an index.
If you have devices in different timezones (in other words, you don't use GMT/UTC), you need to be careful about the different commands. Example: If you want an alert on devices that haven't reported to an index in the last 1800 seconds, we use recentTime so that everything is relative to the local time:
| metadata index=indexname type=hosts | eval age=now()-recentTime | search age>1800
If you use lastTime , your ages will be all over the place because devices are reporting from different timezones. A negative age means the device is in a timezone ahead of yours, so it thinks the device is in the future.
If you want to see for yourself, try | metadata index=indexname type=hosts | eval age=now()-recentTime and then try | metadata index=indexname type=hosts | eval age=now()-lastTime and see the difference in ages.
Summary
recentTime : Timezone of the search head/indexer
lastTime : Last timestamp seen in the data (potentially a different timezone)
... View more
