To search data based on the order that Collectors received the messages use Receipt Time. This option has the search reference the metadata field
_receiptTime instead of
_messageTime, giving you the ability to view the difference in the parsed timestamp (
_messageTime) and receipt time (
_receiptTime) to pinpoint Sources that may be parsing the message's timestamps incorrectly.
Run a search by Receipt Time
To run a search by Receipt Time, select the Use Receipt Time check box:
- Enter your query in the search text box.
- Choose the Time Range for the query.
- Select Use Receipt Time.
- Review the search results for wide discrepancies between message timestamp and receipt time to pinpoint Sources with incorrect timestamps:
Resolving timestamp/receipt time issues
If you notice an issue between timestamps and receipt time values, you can double-check the Source’s settings. You can manually specify the parse format for the Source, and test the format to make sure it’s valid. See troubleshooting large message time and receipt time discrepancies.
Alternately, if you’re noticing that timestamps are not parsing properly, check the timestamp conventions of your logs. Learn more in Timestamps, Time Zones, Time Ranges, and Date Formats.