Community:Search Report: How To Analyze Difference between the timestamp Vs IndexedTime

From Splunk Wiki

Jump to: navigation, search

How To Analyze Difference between the timestamp Vs IndexedTime

This is a useful search when you want to analyze if the timestamp is away from the index time.

When you notice that there is no new events since today. You might think the indexer is not indexing events. But, actually the indexer might be still indexing events with incorrect timestamp. So, you want to check the events' timestamp (_time), the index time (_indextime), and the difference between them. 

#
# Table Comparison TimeStamp Vs. IndexTime
#

index=_internal earliest=-3h@h latest=-2h@h
   | rename _indextime as IndexTime
   | eval diff=IndexTime-_time
   | convert ctime(IndexTime) as IndexTime
   | eval diff=if(diff < 0, "0", diff)
   |  table _time IndexTime diff

Table IndexTimeVsTimestamp.png

Retrieved from "http://wiki.splunk.com/Community:Search_Report:_How_To_Analyze_Difference_between_the_timestamp_Vs_IndexedTime"
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk