Hi Splunkies,
I am a very new to splunk. I was using HP arcsight. There are two timestamp in HP
1) Manager Receipt time, similar indexer logging time.
2) Another is actual log source time in HP. But while I search logs for last 2 hours in splunk we will get the logs by indexer in last two hours.
However I can define in HP Arcsight, whether to search logs based on Manager Receipt time or Actual event time.
Example why I require.
I have symantec events, for 2 months ago(actual log source time 21st Aug 2016 logs) showing as "Details Pending" but the event has received now by indexer(21st Oct 2016). Now I want to wait for "quarantined" logs. The quarantined logs(for 21st Aug 2016) might be received 1 month back(20th September 2016) by indexer and triggered 1 months ago.
I want to search the logs with actual event time so that I can Co-relate with the actual time that the logs received 2 months ago as "Details pending" is related to the logs recieved 1 month ago as "quarantined".
Kindly let me know if we have this feature to "Search" in Splunk to search based on events received by splunk and also with actual logs.
Regards,
Destiny
... View more