Dears,
Are there separate fields for:
Event received time (when event was received by Splunk); and
Parsed (extracted) event time?
My understanding is that for any events that have a recognisable timestamp Splunk will try to extract it at index time and store in the _time
internal field (as epoch time).
Then at search time Spunk dynamically creates date_* fields. What I would like to know if there is another field that contains event received time (regardless of the event content, extractions etc) ?
There is a field _indextime
on each event that indicates when an event was indexed.
There is a field _indextime
on each event that indicates when an event was indexed.
thank you gk and araitz
To make it viewable, add to your search: | eval indextime=_indextime