Community:Search by time of indexing

From Splunk Wiki

Jump to: navigation, search

Search for events by the (epoch) time they were indexed:

foo _indextime=12560* | rename _indextime as indexedtime

Or the more friendly:

foo | rename _indextime as indexedtime | convert ctime(indexedtime) as humanindexedtime

Retrieved from "https://wiki.splunk.com/index.php?title=Community:Search_by_time_of_indexing&oldid=50796"

Views

Personal tools

Hot Wiki Topics

About Splunk >

Search and navigate IT data from applications, servers and network devices in real-time.
Download Splunk

Tools