Solved: Re: How do I determine when an event was indexed?

the_wolverine · ‎04-01-2010

I'm trying to troubleshoot some issues with indexing. It would be great to be able to find out when an event or events were indexed.

the_wolverine · ‎04-01-2010

Here's how I would do it:

searchterms | eval idxtime=_indextime | convert ctime(idxtime)

The added step of converting using ctime changes the epochtime (of _indextime) to human readable ascii time, like "03/31/2010 20:30:00".

View solution in original post

lisaac · ‎10-08-2010

I have a question. What is the easiest way to export this data from the command line? I would like the raw event with the value idxtime.

the_wolverine · ‎04-01-2010

Here's how I would do it:

searchterms | eval idxtime=_indextime | convert ctime(idxtime)

The added step of converting using ctime changes the epochtime (of _indextime) to human readable ascii time, like "03/31/2010 20:30:00".

the_wolverine · ‎04-02-2010

you rock.......

gkanapathy · ‎04-02-2010

one step: mysearchterms | convert ctime(_indextime) as idxtime

Stephen_Sorkin · ‎04-01-2010

Since Splunk 4.0, the indexing machine will add an index time field called _indextime to events as they are written to disk. To see these, run a search like the following and add "indextime" to the selected fields:

... | eval indextime = _indextime

To calculate lag from the timestamp of the event through indexing, search like:

... | eval lag = _indextime - _time

How do I determine when an event was indexed?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases