×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
clunde
New Member
Member since: ‎03-03-2020
‎08-28-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-03-2020
View All

Re: I'm trying to determine if by date_time stamps...

by in Splunk Search
‎08-28-2020 09:29 AM
‎08-28-2020 09:29 AM
Thank you for the information! Do you know if the first time stamp is the _time or if it's the _indextime?   Thank you! ... View more

I'm trying to determine if by date_time stamps if ...

by in Splunk Search
‎08-28-2020 08:33 AM
‎08-28-2020 08:33 AM
Hello, I'm trying to determine if we are getting all the TrendMicro logs by comparing what's in Splunk and what's in Trend. There are 2 date/time stamps in the Splunk logs which I assume 1 is the actual event date/time and the other is the Splunk index date/time.  I've ran the following 2 searches which return the same date_time stamps but I would expect to be different since the 2 date/times are different. Times: Aug 28 11:18:43 x.x.x.x Aug 28 15:12:19 index=trendmicro | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q %Z") 2020-08-28T11:18:43.000 EDT index=trendmicro | eval mytime=strftime(_indextime,"%Y-%m-%dT%H:%M:%S.%Q %Z") 2020-08-28T11:18:43.000 EDT How can I pull/report on both of these fields with both of the date_time stamps so we can determine we are getting all logs as well as if the indexer(s) are under resourced? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-28-2020 02:21 PM