Community:Search Report: How to search based on Indexed Time and define time range based on relative time of Indexed Time

From Splunk Wiki

Jump to: navigation, search

Note: Information in this page was merged to Search Example: Index Time Vs Event Time Stamp


Sometimes events such as syslog is indexed in incorrect timestamp. And you might need to troubleshoot. At the same time, you might need to verify there are no missing events in the incorrectly indexed events.

The following search report helps us to identify such troubleshooting. 

#
# Search Report
# => Search by indexed time
#

#
# How to identify events the indextime and timestamp are off (more than 1 hour=3600 sec)
#

source="udp:514"
    | eval IndexTime=_indextime
    | eval TimeStamp=_time
    | eval delta=_indextime-_time
    | eval Raw=_raw
    | where delta > 3600
    | convert ctime(IndexTime)
    | convert ctime(TimeStamp)
    | table  TimeStamp IndexTime delta Raw


#
# How to specify the timerange based on indexed time
#
source="udp:514" | eval IndexTime=_indextime
   | eval CurrentTime=now()
   | eval D0=relative_time(now(), "@d")
   | eval D1=relative_time(now(), "-1d@d")
   | where IndexTime < D0 | where IndexTime > D1
   | eval Raw=_raw
   | convert ctime(IndexTime) as IndexTime01
   | table IndexTime IndexTime01 Raw
Retrieved from "https://wiki.splunk.com/index.php?title=Community:Search_Report:_How_to_search_based_on_Indexed_Time_and_define_time_range_based_on_relative_time_of_Indexed_Time&oldid=54557"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk