Getting Data In
Highlighted

timestamp equals none

Path Finder

I am trying to use the timestamp field to find the time diff between events. However, I see that the field equals none or is empty for all of my events for this particular log. Why would this field not be populated?

Tags (1)
0 Karma
Highlighted

Re: timestamp equals none

Legend

What do you get if you do the following?

source=thelogwithaproblem
| table _time, source

(Thanks @Ayn - I must have had a little mental vacation there)

Highlighted

Re: timestamp equals none

Legend

Shouldn't that be _time?

Highlighted

Re: timestamp equals none

Legend

Also the _time field always exists for events in Splunk's index. If you dont't see it you're doing something wrong.

Highlighted

Re: timestamp equals none

Path Finder

lguinn - I get a table with event time and source. So that seems good. In looking at some other logs, I can't find the timestamp column populated their either. Does it matter? Is timestamp something Splunk creates or does it reference a field in the log it copies wholesale?

0 Karma
Highlighted

Re: timestamp equals none

Legend
Highlighted

Re: timestamp equals none

Legend

All events in Splunk have a timestamp; the name of the field is _time. It is an internal field, which may or may not be derived directly from the data in the source log files. Internal fields do not appear in the fields sidebar; perhaps that is why you didn't know about it.

As Ayn points out, there are whole sections in the Splunk documentation that deal with configuring timestamps: Configure timestamp recognition is a good read.

In summary: Splunk looks first at the event and tries to find a timestamp. While you can configure timestamp recognition, Splunk is quite good at automatically interpreting timestamps if they are in a reasonable format. Splunk also can apply a time zone adjustment to the timestamp, if you have configured it.

If there is no timestamp in the event itself, Splunk looks for other ways of identifying the likely time of the event, such as the source file modification time.

If all else fails as Splunk is parsing the event, Splunk uses the clock time as the event timestamp.

Based on the above, Splunk calculates and stores the timestamp in _time.

Splunk does not change the actual format or content of the event; the _time field exists as metadata for every event. There is no "timestamp" column, unless you have a specific source that defines such a field.