- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: timestamp equals none
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timestamp equals none
I am trying to use the timestamp field to find the time diff between events. However, I see that the field equals none or is empty for all of my events for this particular log. Why would this field not be populated?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All events in Splunk have a timestamp; the name of the field is _time. It is an internal field, which may or may not be derived directly from the data in the source log files. Internal fields do not appear in the fields sidebar; perhaps that is why you didn't know about it.
As Ayn points out, there are whole sections in the Splunk documentation that deal with configuring timestamps: Configure timestamp recognition is a good read.
In summary: Splunk looks first at the event and tries to find a timestamp. While you can configure timestamp recognition, Splunk is quite good at automatically interpreting timestamps if they are in a reasonable format. Splunk also can apply a time zone adjustment to the timestamp, if you have configured it.
If there is no timestamp in the event itself, Splunk looks for other ways of identifying the likely time of the event, such as the source file modification time.
If all else fails as Splunk is parsing the event, Splunk uses the clock time as the event timestamp.
Based on the above, Splunk calculates and stores the timestamp in _time.
Splunk does not change the actual format or content of the event; the _time field exists as metadata for every event. There is no "timestamp" column, unless you have a specific source that defines such a field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How Splunk deals with timestamps - http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn - I get a table with event time and source. So that seems good. In looking at some other logs, I can't find the timestamp column populated their either. Does it matter? Is timestamp something Splunk creates or does it reference a field in the log it copies wholesale?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also the _time field always exists for events in Splunk's index. If you dont't see it you're doing something wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shouldn't that be _time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you get if you do the following?
source=thelogwithaproblem
| table _time, source
(Thanks @Ayn - I must have had a little mental vacation there)
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
