I'm trying to troubleshoot some issues with indexing. It would be great to be able to find out when an event or events were indexed.
Here's how I would do it:
searchterms | eval idxtime=_indextime | convert ctime(idxtime)
The added step of converting using ctime changes the epochtime (of _indextime) to human readable ascii time, like "03/31/2010 20:30:00".
I have a question. What is the easiest way to export this data from the command line? I would like the raw event with the value idxtime.
Here's how I would do it:
searchterms | eval idxtime=_indextime | convert ctime(idxtime)
The added step of converting using ctime changes the epochtime (of _indextime) to human readable ascii time, like "03/31/2010 20:30:00".
you rock.......
one step: mysearchterms | convert ctime(_indextime) as idxtime
Since Splunk 4.0, the indexing machine will add an index time field called _indextime to events as they are written to disk. To see these, run a search like the following and add "indextime" to the selected fields:
... | eval indextime = _indextime
To calculate lag from the timestamp of the event through indexing, search like:
... | eval lag = _indextime - _time