https://community.splunk.com/t5/Splunk-Enterprise/Discrepancy-in-time-extraction/m-p/506608#M2300 <P>Need some help in understanding how the _time, timestamp default fields are extracted. Raw event as mentioned below and the field values extracted for respective event is as mentioned below. As can clearly be seen&nbsp; I dont see anything that could relate to the value extracted in _time field. Any pointer related to this would be much helpful.</P><P>Fields extracted:</P><P>@timestamp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; _time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;|&nbsp; timestamp<BR />2020-06-22T15:17:34.892576+00:00 | 2020-06-17 17:54:50 | 2020-06-23 01:17:34.888</P><P>Raw event:</P><P>=========</P><P>{"docker":{"container_id":"c0cb3bd3563f5f01133bcc496479b77b6c72bf898f24612ad7634b50a1749301"},"test":{"container_name":"anything","namespace_name":"test10-project","pod_name":"anything-1-w44fj","pod_id":"9289218b-b1cc-11ea-abcd-005056a44ead","labels":{"app":"anything","deployment":"anything-1","deploymentconfig":"anything"},"host":"ost-clb-osp-app-c02.linux.ostravam.corp.telstra.com","master_url":"<A href="https://test.default.svc.cluster.local&quot;,&quot;namespace_id&quot;:&quot;0fbe0d11-cade-11e9-a562-005056a44ead&quot;},&quot;message&quot;:&quot;2020-06-23" target="_blank" rel="noopener">https://test.default.svc.cluster.local","namespace_id":"0fbe0d11-cade-11e9-a562-005056a44ead"},"message":"2020-06-23</A> 01:17:34.888 DEBUG --- [nio-8090-exec-5] o.s.web.servlet.DispatcherServlet : GET \"/healthcheck\", parameters={}\n","level":"info","hostname":"xxxxxxxxxxxxx","pipeline_metadata":{"collector":{"ipaddr4":"10.130.5.172","ipaddr6":"fe80::823:d3ff:fe3f:bf2d","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2020-06-22T15:17:35.076698+00:00","version":"0.12.43 1.6.0"}},"@timestamp":"2020-06-22T15:17:34.892576+00:00","viaq_index_name":"project.test10-project.0fbe0d11-cade-11e9-a562-005056a44ead.2020.06.22","viaq_msg_id":"YzY0NWI1ZGItMjc5Ni00YWI2LWI4OWUtMWZkODU1NTRlNjdj","forwarded_by":"standalone-fluentd-splunk.openshift-logging.svc.cluster.local","source_component":"testsource"}</P> Tue, 30 Jun 2020 00:18:12 GMT sdkp03 2020-06-30T00:18:12Z https://community.splunk.com/t5/Splunk-Enterprise/Discrepancy-in-time-extraction/m-p/506608#M2300 <P>Need some help in understanding how the _time, timestamp default fields are extracted. Raw event as mentioned below and the field values extracted for respective event is as mentioned below. As can clearly be seen&nbsp; I dont see anything that could relate to the value extracted in _time field. Any pointer related to this would be much helpful.</P><P>Fields extracted:</P><P>@timestamp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; _time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;|&nbsp; timestamp<BR />2020-06-22T15:17:34.892576+00:00 | 2020-06-17 17:54:50 | 2020-06-23 01:17:34.888</P><P>Raw event:</P><P>=========</P><P>{"docker":{"container_id":"c0cb3bd3563f5f01133bcc496479b77b6c72bf898f24612ad7634b50a1749301"},"test":{"container_name":"anything","namespace_name":"test10-project","pod_name":"anything-1-w44fj","pod_id":"9289218b-b1cc-11ea-abcd-005056a44ead","labels":{"app":"anything","deployment":"anything-1","deploymentconfig":"anything"},"host":"ost-clb-osp-app-c02.linux.ostravam.corp.telstra.com","master_url":"<A href="https://test.default.svc.cluster.local&quot;,&quot;namespace_id&quot;:&quot;0fbe0d11-cade-11e9-a562-005056a44ead&quot;},&quot;message&quot;:&quot;2020-06-23" target="_blank" rel="noopener">https://test.default.svc.cluster.local","namespace_id":"0fbe0d11-cade-11e9-a562-005056a44ead"},"message":"2020-06-23</A> 01:17:34.888 DEBUG --- [nio-8090-exec-5] o.s.web.servlet.DispatcherServlet : GET \"/healthcheck\", parameters={}\n","level":"info","hostname":"xxxxxxxxxxxxx","pipeline_metadata":{"collector":{"ipaddr4":"10.130.5.172","ipaddr6":"fe80::823:d3ff:fe3f:bf2d","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2020-06-22T15:17:35.076698+00:00","version":"0.12.43 1.6.0"}},"@timestamp":"2020-06-22T15:17:34.892576+00:00","viaq_index_name":"project.test10-project.0fbe0d11-cade-11e9-a562-005056a44ead.2020.06.22","viaq_msg_id":"YzY0NWI1ZGItMjc5Ni00YWI2LWI4OWUtMWZkODU1NTRlNjdj","forwarded_by":"standalone-fluentd-splunk.openshift-logging.svc.cluster.local","source_component":"testsource"}</P> Tue, 30 Jun 2020 00:18:12 GMT https://community.splunk.com/t5/Splunk-Enterprise/Discrepancy-in-time-extraction/m-p/506608#M2300 sdkp03 2020-06-30T00:18:12Z https://community.splunk.com/t5/Splunk-Enterprise/Discrepancy-in-time-extraction/m-p/506610#M2302 <P>By default, Splunk will look in the first 128 characters of an event to find something that looks like a timestamp.&nbsp; It can be in one of many forms (see datetime.xml), even a 10-digit number.&nbsp; See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/HowSplunkextractstimestamps#How_Splunk_software_assigns_timestamps" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/HowSplunkextractstimestamps#How_Splunk_software_assigns_timestamps</A>&nbsp;for more information.</P><P>This shows why it is a Best Practice to always specify <FONT face="courier new,courier">TIME_PREFIX</FONT>, <FONT face="courier new,courier">TIME_FORMAT</FONT>, and <FONT face="courier new,courier">MAX_TIMESTAMP_LOOKAHEAD</FONT> for all sourctypes.</P> Tue, 30 Jun 2020 00:42:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Discrepancy-in-time-extraction/m-p/506610#M2302 richgalloway 2020-06-30T00:42:57Z