I am trying to use the timestamp field to find the time diff between events. However, I see that the field equals none or is empty for all of my events for this particular log. Why would this field not be populated?
lguinn - I get a table with event time and source. So that seems good. In looking at some other logs, I can't find the timestamp column populated their either. Does it matter? Is timestamp something Splunk creates or does it reference a field in the log it copies wholesale?
All events in Splunk have a timestamp; the name of the field is
_time. It is an internal field, which may or may not be derived directly from the data in the source log files. Internal fields do not appear in the fields sidebar; perhaps that is why you didn't know about it.
In summary: Splunk looks first at the event and tries to find a timestamp. While you can configure timestamp recognition, Splunk is quite good at automatically interpreting timestamps if they are in a reasonable format. Splunk also can apply a time zone adjustment to the timestamp, if you have configured it.
If there is no timestamp in the event itself, Splunk looks for other ways of identifying the likely time of the event, such as the source file modification time.
If all else fails as Splunk is parsing the event, Splunk uses the clock time as the event timestamp.
Based on the above, Splunk calculates and stores the timestamp in
Splunk does not change the actual format or content of the event; the
_time field exists as metadata for every event. There is no "timestamp" column, unless you have a specific source that defines such a field.