https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62220#M15376 <P>Are you asking how Splunk assigns a timestamp to events coming into Splunk?</P> <P>See the documentation at <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps</A></P> <P>Splunk uses the following precedence rules to assign timestamps to events:</P> <OL> <LI><P>Splunk looks for a time or date in the event itself using an explicit TIME_FORMAT, if provided. You configure TIME_FORMAT in props.conf.</P></LI> <LI><P>If no TIME_FORMAT was configured for the data, Splunk attempts to automatically identify a time or date in the event itself. It uses the event's source type (which includes TIME_FORMAT information) to try to find the timestamp.</P></LI> <LI><P>If an event doesn't have a time or date, Splunk uses the timestamp from the most recent previous event of the same source.</P></LI> <LI><P>If no events in a source have a date, Splunk tries to find one in the source name or file name. (This requires that the events have a time, even though they don't have a date.)</P></LI> <LI><P>For file sources, if no time or date can be identified in the file name, Splunk uses the file's modification time.</P></LI> <LI><P>As a last resort, Splunk sets the timestamp to the current system time when indexing each event.</P></LI> </OL> Mon, 28 Sep 2020 13:31:19 GMT datasearchninja 2020-09-28T13:31:19Z https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62218#M15374 <P>After the events received, how to identify the events receiving date &amp; time?</P> Fri, 15 Mar 2013 01:34:05 GMT https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62218#M15374 rossikwan 2013-03-15T01:34:05Z https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62219#M15375 <P>Hey rossikwan...can we get a little more information here. What is the data you are trying to put into splunk and let us know what it is displaying as date and time?<BR /> Regards Vince</P> Fri, 15 Mar 2013 03:02:55 GMT https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62219#M15375 vincesesto 2013-03-15T03:02:55Z https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62220#M15376 <P>Are you asking how Splunk assigns a timestamp to events coming into Splunk?</P> <P>See the documentation at <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps</A></P> <P>Splunk uses the following precedence rules to assign timestamps to events:</P> <OL> <LI><P>Splunk looks for a time or date in the event itself using an explicit TIME_FORMAT, if provided. You configure TIME_FORMAT in props.conf.</P></LI> <LI><P>If no TIME_FORMAT was configured for the data, Splunk attempts to automatically identify a time or date in the event itself. It uses the event's source type (which includes TIME_FORMAT information) to try to find the timestamp.</P></LI> <LI><P>If an event doesn't have a time or date, Splunk uses the timestamp from the most recent previous event of the same source.</P></LI> <LI><P>If no events in a source have a date, Splunk tries to find one in the source name or file name. (This requires that the events have a time, even though they don't have a date.)</P></LI> <LI><P>For file sources, if no time or date can be identified in the file name, Splunk uses the file's modification time.</P></LI> <LI><P>As a last resort, Splunk sets the timestamp to the current system time when indexing each event.</P></LI> </OL> Mon, 28 Sep 2020 13:31:19 GMT https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62220#M15376 datasearchninja 2020-09-28T13:31:19Z https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62221#M15377 <P>Thanks and could there a method to show when did that event indexed in Splunk?</P> Fri, 15 Mar 2013 10:16:52 GMT https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62221#M15377 rossikwan 2013-03-15T10:16:52Z https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62222#M15378 <P>This information is available in the field <CODE>_indextime</CODE>. To make it "visible" for whatever purpose you're using it for you might want to use <CODE>eval</CODE>. For instance</P> <PRE><CODE>... | eval indextime=_indextime | convert ctime(indextime) | table indextime </CODE></PRE> Fri, 15 Mar 2013 10:18:46 GMT https://community.splunk.com/t5/Splunk-Search/Events-recevie-date-time/m-p/62222#M15378 Ayn 2013-03-15T10:18:46Z