https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358883#M164102 <P>Thanks Kamlesh.</P> Fri, 29 Dec 2017 12:34:04 GMT zacksoft 2017-12-29T12:34:04Z https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358879#M164098 <P>In Splunk I see this built in field "_time". I am able to use it in my stats and and it gives me some time.</P> <P><STRONG>My question is,<BR /> Does this field give the time when the event was generated by my corresponding "source server"?<BR /> OR <BR /> Does this field give me the time of when that event was indexed by the "Splunk server" ?</STRONG></P> Fri, 29 Dec 2017 10:10:53 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358879#M164098 zacksoft 2017-12-29T10:10:53Z https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358880#M164099 <P>It is the time Splunk thinks the event occurred.<BR /> Not the time it was indexed.</P> Fri, 29 Dec 2017 10:12:59 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358880#M164099 nickhills 2017-12-29T10:12:59Z https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358881#M164100 <P>Hi @zacksoft,<BR /> The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.<BR /> You can also go through below splunk docs.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usedefaultfields">https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usedefaultfields</A></P> Fri, 29 Dec 2017 11:49:07 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358881#M164100 nikita_p 2017-12-29T11:49:07Z https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358882#M164101 <P>HI <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/65483">@zacksoft</a>,</P> <P>Does this field give the time when the event was generated by my corresponding "source server"? : No Not directly.<BR /> OR <BR /> Does this field give me the time of when that event was indexed by the "Splunk server"?</P> <P>Splunk software uses the following precedence rules to assign timestamps to events:</P> <UL> <LI>It looks for a time or date in the event itself using an explicit TIME_FORMAT, if provided. You configure the TIME_FORMAT attribute in props.conf.</LI> <LI>If no TIME_FORMAT was configured for the data, Splunk software attempts to automatically identify a time or date in the event itself. It uses the source type of the event (which includes TIME_FORMAT information) to try to find the timestamp.</LI> <LI>If an event has a time and date, but not a year, Splunk software determines the year, as described in How Splunk software determines timestamps with no year, and builds the timestamp from that.</LI> <LI>If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)</LI> <LI>For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.</LI> <LI>As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.</LI> </UL> <P>Check this link: <BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/HowSplunkextractstimestamps" target="_blank">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/HowSplunkextractstimestamps</A></P> <P>Thanks<BR /> Kamlesh</P> Tue, 29 Sep 2020 17:23:22 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358882#M164101 kamlesh_vaghela 2020-09-29T17:23:22Z https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358883#M164102 <P>Thanks Kamlesh.</P> Fri, 29 Dec 2017 12:34:04 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-quot-time-quot-field/m-p/358883#M164102 zacksoft 2017-12-29T12:34:04Z