If everything goes well with the parsing of timestamps, _time and the timestamp in the event will be the same - adjusted for TZ.

If Splunk does not understand the timestamp, there are a few fallbacks (modtime of source file, timestamp of previous event, local time on indexer).

In your case, you might want to explain to splunk how your timestamp is to be parsed. This is done in the TIME_FORMAT parameter in props.conf.

[your_sourcetype]
TIME_FORMAT = %k%M%S

You most likely want to add the date variables to that parameter as well, if they exist in your log. Post some sample events if you want help with this, it's always a good idea.

For more info on timestamp variables and how Splunk identifies timestamps, see;
www.strftime.net
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configuretimestamprecognition

NB: If you want to check indexing lag, i.e. the difference between the creation of an event, and the time it is indexed in splunk, you need to look at the _indextime field, e.g.;

your search | eval lag = _indextime - _time | stats avg(lag) by host

UPDATE:

I'm sorry.

The log occurred at the timestamp in the event. By definition, there is no difference. And if there was, there is no way for you to know.

A program experiences an event 'X' that is supposed to be printed as a line of log in a file. However, it does not do that immediately (at time T), but waits a few minutes and then writes it to file (at time T+5), setting the timestamp in the event to T+5. How could you know when 'X' really happened? If you have such doubts regarding the quality of your data, you probably have bigger issues to deal with than this.

Moving back into the realm of the possible, here is what Splunk will provide you with for your time computing needs. There are four types of time 'objects' in each event;

1) the timestamp in the event which can look pretty much like anything

2) _time which is how Splunk parsed the timestamp (1). This is expressed as epoch. Also, _time will be adjusted if there is TZ information either in timestamp (1), or in props.conf for type of data. Usually this goes well. But sometimes you need to give Splunk a nudge. _time is also what is printed next to each event when they are presented as search results (but in a nicer format than epoch).

3) _indextime is the system time of the indexer, when this particular event was indexed. Also in epoch.

4) the date_*-fields, which is the parsed timestamp (1) broken into its individual pieces, i.e. year, hour, second etc. This does read the event data literally, and does not take any TZ information into account. Strings and/or numbers.

UPDATE:

Does the little timestamp beside the event (on the left side) correspond to the timestamp within the event?

If "YES", then the parsing of the timestamp is correct, and there will be no differences because they are the same - although the presentation of the timestamps may differ, e.g. 12-hour vs 24-hour clock.

If "NO", then you need to fix your parsing of the timestamp, or configure your logging, so that a more complete timestamp is logged.

What you CAN measure is indexing lag, which is the difference between _indextime and _time. _indextime is not normally shown anywhere, so you'll have to evaluate it like so;

... | eval lag = _indextime - _time

Hope this helps,

Kristian