This topic describes how first time data and missing data are determined.

When you turn on Ingest monitoring, the app immediately begins identifying data entities that ingest data into Splunk. To track these entities, the app uses a KV store lookup called last_index_event_lookup. For each discovered data entity, the app records the following timestamps:

1. Latest event time (latest_event_time): The timestamp of the most recent event ingested for the data entity.

2. Latest index time (latest_index_time): The timestamp indicating when Splunk indexed the most recent event for the data entity.

3. First seen time (first_seen_time): The timestamp indicating when the app first detected an event from the data entity.

These timestamps provide valuable insights into the behavior and activity of your data entities, helping you monitor ingestion trends effectively.