_indextime versus _time

It is important to note that events are generally not received at the same time as stated in the event. In most installations, the discrepancy is usually of a few seconds, but if logs arrive in batches, the latency can be much larger. The time at which an event is actually written in the Splunk index is kept in the internal field _indextime.

The time that is parsed out of the event is stored in _time.

You will probably never search against _indextime, but you should understand that the time you are searching against is the time parsed from the event, not the time at which the event was indexed.