What is the difference between lastTime and recentTime in a metadata search?

1 1	What is the difference between lastTime and recentTime in a metadata search? metadata asked 16 Aug '10, 20:49 sfmandmdev 85●5 accept rate: 0%

2 Answers:

3	The recentTime field represents the most recent timestamp seen for the given source, sourcetype or host, while lastTime represents the latest time ever seen for it. link answered 16 Aug '10, 21:23 Stephen Sorkin ♦ 8.1k●4●7 accept rate: 52%

Thanks Stephen. So just to confirm, recentTime is to most recent event time as lastTime is to most recent indexed time. Is that correct?

link

answered 17 Aug '10, 14:05

sfmandmdev
85●5
accept rate: 0%

The second half of your analogy doesn't sound quite right, as lastTime is the latest timestamp in the index.

(17 Aug '10, 15:05) Stephen Sorkin ♦

Post your answer

toggle preview

Email:

RSS:

Answers

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

Tags:

Asked: 16 Aug '10, 20:49

Seen: 714 times

Last updated: 17 Aug '10, 14:05