Can you help me understand why I'm receiving these...

dloszewski · ‎11-16-2018

Hello,

I'm having a hard time understanding why I'm receiving the values that I am for _time and _indextime.

All events that I'm currently getting show a _time value that is behind that of my _indextime. From what I understand, if there was a slowdown in the indexing, these values would be the other way around. I'm also noticing that the timestamps of my events (raw data) matches that of the _timeindex which further confuses me.

Any help you could provide would be appreciated. Example below:

_time = 2018-11-15T21:06:23.000-05:00
_indextime = 11/16/2018 16:42:27
event timestamp = 2018-11-16T02:06:23.000-00:00

adonio · ‎11-17-2018

look at your props.conf
this _time = 2018-11-15T21:06:23.000-05:00 seems to me to be exactly 5 hours before: 2018-11-16T02:06:23.000-00:00
which is in your timestamp: -05:00 probably timezone fix i needed here.
_indextime will always be after or at the (later) _time time because it physically takes time to write the data to disk (index) that when the _indextime is assigned. the only time _indextime will be before _time is if you have events in the future.
please read this doc in detail to take care of your time stamping:
http://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Configuretimestamprecognition

hope it helps

Can you help me understand why I'm receiving these values for _time and _indextime?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes