How is the data sent to Splunk? Is this via HEC, file monitor, script, an add-on, etc.?
_time is the timestamp of the actual event; whereas, _indextime is the timestamp when Splunk actually indexed the event. Depending on the input, these two timestamps may be very far apart. For example, if you use a file monitor input that has data from a year ago, _time will be a year ago, but _indextime will be "now". Similarly, scripts and several add-ons use an interval for data collection. A delay could be seen from when the event was generated from when the input script ran.
Here is how Splunk determines the _time timestamp -> https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps#How_Splunk_software_assigns_timestamps
... View more