I'm trying to see if a clock is off on some of my servers and I want to compare the _time field with the time the event was indexed. From looking around, I thought that _indextime was supposed to give me that. But that field isn't available in my data...
How do I find out when Splunk indexed an event?
Thx.
C
_indextime
is definitely not deprecated. To get it to show, you must rename it to a field name that doesn't begin with an underscore.