Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Event Detail ++ _time field "+" icon

verbal_666
Builder
‎04-02-2024 09:09 PM

Hi there.
Did you saw in many events, exploding the event to detail, the _time field has a "+" icon on its side?

_time_+.png

Exploding it, give the detail of created _time field,

_time_+_expanded.png

What's that?

In other events i can't see the "+" icon, also on same server/path/log,

_time_NO+.png

Is it some kind of,

"+" == I, SPLUNK INDEXER, ELABORATED THE TIMESTAMP WITH MY ALGORITHMS BY MYSELF IN THIS WAY

clean, no "+" == automatic timestamp calculation, no elaboration, i found it yet cooked

?

 

Thanks.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-02-2024 09:24 PM

Hi @verbal_666,

You can see related documentation below about timestamp information. The events that missing date_* fields may not have extracted time inside.  

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields#Use_default_fields

Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-02-2024 09:24 PM

Hi @verbal_666,

You can see related documentation below about timestamp information. The events that missing date_* fields may not have extracted time inside.  

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields#Use_default_fields

Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

verbal_666
Builder
‎04-02-2024 09:58 PM

Clear.
So, an event with _time field with "+", in practice, represents a complete _time extraction with all "date_*" underfields inside 👍
Thanks 👏👏

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...