Hey Guys -
I am looking to create a simple report with event timestamp & indexed timestamp information but not able to merge index=xxx & index=_internal. Could someone please help me with search. You may consider any sample data.
Thanks in advance.
Hello,
Please try this:
... | eval indexed_time=strftime(_indextime, "%+") | table indexed_time _time
There isnt a need to combine both indexes as there is always a hidden internal field called _indextime.
You might also find this post helpful: https://answers.splunk.com/answers/42646/showing-indexed-time.html
Hello,
Please try this:
... | eval indexed_time=strftime(_indextime, "%+") | table indexed_time _time
There isnt a need to combine both indexes as there is always a hidden internal field called _indextime.
You might also find this post helpful: https://answers.splunk.com/answers/42646/showing-indexed-time.html
Is there anyway to include timestamp for data read by UF as well?
Thanks
This will probably help with that and more...
http://docs.splunk.com/Documentation/Splunk/6.0.8/Troubleshooting/Troubleshootingeventsindexingdelay