How do I search for events within _indextime?

mcbradfordwcb · ‎10-12-2018

I understand the behavior of Splunk when using _indextime, but I want to know what query would do what I really am looking for.

In the sample query:

index="bro"  _indextime > 1539343843 _indextime <= 1539343963

And with the timepicker set to last 24 hours, Splunk will actually look for events indexed between the time specified and _time within the last 24 hours.

I do not want Splunk to search _time, I only want it to search for events within _indextime

corey_reynders · ‎12-06-2018

I would run with the following :

index="bro" earliest=0 latest=now()  _indextime > 1539343843 _indextime <= 1539343963

Since the time picker cannot be configured to run against a different field you have to search all of time and then filter based on the _indextime you want to see, sadly it is not fast if your index is big.

_index_earliest and _index_latest do work but since you don't really see the index time it becomes difficult to validate your search results are accurate. This is what I normally do to see that :

<search> | eval _time=_indextime

This will cause your event timeline to show the events by _indextime so that you can validate the results easier.

My index has lots of overlapping equivalent timestamps and I need to pull the latest values by _indextime so I often end up doing this :

<search> | eval orig_time=_time,_time=_indextime | stats latest(stuff) | eval _time=orig_time | timechart <stuff>

I'm not sure exactly what your data looks like but that helps me get the latest indexed values regardless of the _time of the event (slow... but it works).

493669 · ‎10-12-2018

@mcbradfordwcb
you can use time modifiers for index time like

index=<indexname> _index_earliest=-h@h _index_latest=@h

Similar to earliest and latest for _time, _index_earliest and _index_latest are available for _indextime.
refer this blog- https://www.splunk.com/blog/2013/09/26/an-introduction-to-the-theory-or-relative-time-modifiers-for-...

marycordova · ‎12-06-2018

here is a decent debate and some tips around _indextime

https://answers.splunk.com/answers/678655/how-to-trigger-alerts-when-indextime-time-1.html

@marycordova

mcbradfordwcb · ‎10-12-2018

index="bro" _index_earliest > 1539343843 _index_latest <= 1539343963

Does not work. It looks like Splunk is treating these as actual terms to search.

493669 · ‎10-12-2018

@mcbradfordwcb,
it is working please check for ex:-

index=_internal _index_earliest>1539343843 _index_latest<=1539343963

mcbradfordwcb · ‎10-12-2018

Even though _indextime is a hidden field it can be used. The search provided does not work. Regardless, if the eval did work, I think it would perform the same way and not do what I need it to do, which is to ONLY show me results for events that were INDEXED within the time I have specified.

kamlesh_vaghela · ‎10-12-2018

@mcbradfordwcb

_indextime is hidden field. So you can not use directly.

Can you please try this?

  index="bro" | eval T=_indextime |where T > 1539343843 AND T <= 1539343963

How do I search for events within _indextime?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...