Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Difference between (_time) internal field and (timestamp) default field

PowerPacked
Builder
‎02-04-2019 10:47 PM

Guys

I cant find the difference between _time internal field and timestamp default field in docs anywhere, Can someone help me with this
or are they same ?

Here is the link to Splunk doc which shows them differently.
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Aboutdefaultfields

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎02-05-2019 11:50 AM

The timestamp that is presented to you is the _time value adjusted by your personal Time zone setting in you user settings.

0 Karma
Reply

PowerPacked
Builder
‎02-05-2019 12:15 PM

Thanks for the answer

If you go through the above doc in the question, it says

Splunk will extract default fields like host,timestamp,source etc. & Internal fields like _time,_raw, etc. for every event at index time

I can see _time, linecount,punct all other internal & default field value for every event
but i dont see timestamp field value for any event.

& i am trying to understand diff between _time and timestamp field value for any event.

Can you explain me this or provide sample image which shows _time and timestamp field value for any event.

0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 11:05 PM

Hello @PowerPacked

I guess you are talking about TIMESTAMP_FIELDS parameter in props.conf.
First of all TIMESTAMP_FIELD is a field in your data which will at the end contribute to _time. Like if you have some structured data where you have multiple time fields so you can specify which field should be _time. So we mention the TIMESTAMP field there.

For better understanding, refer this link: 

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Propsconf

I hope this answers your question.

0 Karma
Reply

PowerPacked
Builder
‎02-05-2019 09:51 AM

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Aboutdefaultfields

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-04-2019 10:50 PM

There is no "timestamp" default field. Are you able to supply more information about where you are seeing this field? It might be an indexed extraction or appearing because of some other reason.

Cheers

0 Karma
Reply

PowerPacked
Builder
‎02-05-2019 09:51 AM

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Aboutdefaultfields

0 Karma
Reply

PowerPacked
Builder
‎02-05-2019 09:53 AM

Yes they are indexed extractions default fields - but i would like to know diff between them

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 11:01 AM

_time is the time of the event in epoch time.

the other fields such as date_hour and date_minute etc are just partial versions there to be helpful. For example, if you wanted to find out the most poular hour of the day in your data you can do this: SEARCH | stats count by date_hour . Now if you dont like these fields you can disable them by setting this in props.conf

ADD_EXTRA_TIME_FIELDS = [true|false]
* This setting controls whether or not the following keys will be automatically
  generated and indexed with events:
    date_hour, date_mday, date_minute, date_month, date_second, date_wday,
    date_year, date_zone, timestartpos, timeendpos, timestamp.
* These fields are never required, and may be turned off as desired.
* Defaults to true and is enabled for most data sources.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...