Well, even if you use index time as _time, you still can extract and use event's time as a field. You can also use _indextime directly or even extract event time as an indexed field to use it fast. There are several possibilities. It's just that by default Splunk works in a specific way. And I still think (and it's actually not connected to Splunk itself) that lack of proper time synchronization is an important issue for any monitoring ans security monitoring even more so. True, some SIEMs do have several separate time fields for any event but on the other hand they have very rigid parsing rules and once you have your data indexed, it's over. So each approach has its pros and cons. Splunk's bucketing by _time has one huuuuuge advantage - it speeds up searches by limiting whole buckets from being searched. ... View more

Finding this much later and love it. I made some slight edits to include calculated fields (the mvfilter NOT match is for the sub-model names that start with capital letters and the is_/is_not_ stuff for each sub-model): | datamodel | rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\"" | spath output=fieldList objects{}.calculations{}.outputFields{}.displayName | spath output=fieldList2 objects{}.fields{}.displayName | eval fieldList = mvappend(fieldList,fieldList2) | where modelName!="Splunk_CIM_Validation" | table modelName fieldList | eval fieldList = mvdedup(mvfilter(NOT match(fieldList,"is_.*|^[A-Z]")))  The check index/sourcetype is a handy addition. I also highly recommend Outpost's Data Model Mechanic for troubleshooting DMs. ... View more

The search looks solid but I feel like something is up with your coalesce. From this example, the same event will not have both "indexA_agentB" and "indexB_agentB" so a coalesce will not do anything. I think what you're trying to do is rename the field they share so that they are the same, and then your stats by that field will accurately show which comes from two sourcetypes. ... View more