If you manage Splunk, you might want to know when the log is indexed. Basically we can know when the log was generated by means of _time keyword, however it’s not indicated indexing time. _indextime indicates indexing time.
Here is a sample to compare the result of using between _time and _indextime. As you can see the graph below, lots of log for 5 days at least was collected at 18th Mar. 2015.
your query | fillnull | eval _tme = _indextime | timechart cont=t usenull=f useother=f span=1d count by cs_host
your query | timechart usenull=f useother=f span=1d count by cs_host
Practical Security 