Sometimes, when troubleshooting inputs on large installations (deployment apps, several layers of forwarders, etc), it would be nice to know when a specific event was actually indexed on splunk... It would be also useful when adding historic data (old data on file) and get a notion that it was not indexed "as it was generated" or when the original source process (that writes on a log file) does this by "bursts" instead of "near-real-time"
It would be very simple just to store something like a "_indexedtime" field on every event.
Is there any debug setting to turn this on ?
Hi @ruiaires
Yup!
"The _indextime field contains the time that an event was indexed, expressed in Unix time. You might use this field to focus on or filter out events that were indexed within a specific range of time."
Check out the docs on other internal fields here
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/UseDefaultFields#Internal_fields
Hi @ruiaires
Yup!
"The _indextime field contains the time that an event was indexed, expressed in Unix time. You might use this field to focus on or filter out events that were indexed within a specific range of time."
Check out the docs on other internal fields here
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/UseDefaultFields#Internal_fields